易璞 发表于 2015-9-6 12:33:13

关于buffalo TS5000系列高端机器ROOT问题,思路已经有了

国外大神弄差不多同款机器(LS400)的思路是:解包固件,改代码,打包回去,强刷。
解包修改打包都有现成的源码,不过仅对LS400系列的有效


原文链接(需走天桥访问,走不了的看下面的截图):https://tohenk.wordpress.com/2014/11/11/opening-stock-firmware-of-linkstation-ls421de/




使用到的工具包下载:https://github.com/tohenk/linkstation-mod/archive/master.zip



./scripts/open-ls-rootfs.sh内容#!/bin/bash

# Original script from http://buffalo.nas-central.org/wiki/Open_Stock_Firmware_LS-XHL
# Modified by Toha <tohenk@yahoo.com>

# check for parameters
if [ $# -ne 1 ]; then
echo "You have to specify the filename of the firmware zip-file!\n"
exit 1
fi
if [ ! -f "$1" ]; then
echo "File not found $1.\n"
exit 1
fi

MYDIR=`dirname $0`
MYDIR=`pushd $MYDIR > /dev/null && pwd -P && popd > /dev/null`
ROOT=`pwd`
OUTDIR=$ROOT/out
TMP=$ROOT/tmp
ORIGINAL=$TMP/ORIG
ROOTFS=$TMP/ROOTFS
ROOTFS_IMG_NAME=hddrootfs.img
ROOTFS_FILE_NAME=hddrootfs.buffalo.updated
FIRMWARE=$1

. $MYDIR/ls-functions.sh

do_prep_dirs() {
show_msg "Preparing directories"
local DIRS="$ORIGINAL $ROOTFS"
for D in $DIRS; do
    clean_dir "$D"
done
mkdir -p "$OUTDIR"
}

do_unpack_firmware() {
show_msg "Unpacking firmware"
ROOTFS_IMG=`unpack_firmware "$TMP" "$FIRMWARE" "$ROOTFS_IMG_NAME"`
if [ -n "$ROOTFS_IMG" ]; then
    show_info "Found ROOTFS image: $ROOTFS_IMG."
else
    show_info "No ROOTFS image found! May be it not a valid LinkStation firmware.\n"
fi
}

do_unpack_rootfs() {
show_msg "Unpacking ROOTFS image"
PASSWORD=`unpack_buffalo_image "$ORIGINAL" "$ROOTFS_IMG"`
if [ -n "$PASSWORD" ]; then
    show_info "Using password $PASSWORD."
else
    show_info "Can't unpack ROOTFS image, no password matched.\n"
fi
}

do_extract_rootfs() {
show_msg "Extracting ROOTFS"
extract_rootfs "$ROOTFS" "$ORIGINAL/$ROOTFS_FILE_NAME"
}

do_remove_root_password() {
show_msg "Removing root password"
INITFILE="$ROOTFS/root/.files/initfile.tar.gz"
INITFILE_NEW="$ROOTFS/root/.files/new.initfile.tar.gz"
if [ -f "$INITFILE" ]; then
    show_info "Removing root password from initfile backup."
    INITFILE_TMP=$TMP/INITFILE
    extract_rootfs "$INITFILE_TMP" "$INITFILE"
    remove_root_password "$INITFILE_TMP/etc/shadow"
    package_rootfs "$INITFILE_TMP" "$INITFILE_NEW"
    mv "$INITFILE_NEW" "$INITFILE"
fi
show_info "Removing root password from shadow file."
remove_root_password "$ROOTFS/etc/shadow" "$ROOTFS/etc/shadow~~"
chmod 0644 "$ROOTFS/etc/shadow"
}

do_create_emergency_script() {
show_msg "Creating emergency script service"
local EMERG_SCRIPT="$ROOTFS/etc/rc.d/extensions.d/S00_emergency.sh"
emergency_script >$EMERG_SCRIPT
chmod 0755 $EMERG_SCRIPT
}

do_allow_root_login() {
show_msg "Allowing root login via telnet and ssh"
# Open telnet
echo "telnet        stream        tcp        nowait        root        /usr/local/sbin/telnetd        /usr/local/sbin/telnetd" >> "$ROOTFS/etc/inetd.conf"
#sed -i -e 's/#telnet/telnet/' "$ROOTFS/etc/inetd.conf"
#if [ ! -f "$ROOTFS/usr/sbin/telnetd" ]; then
#cd "$ROOTFS/usr/sbin" && ln -s ../../bin/busybox telnetd
#fi
# Allow root login via ssh
sed -i -e 's/#PermitRootLogin/PermitRootLogin/' "$ROOTFS/etc/sshd_config"
sed -i -e 's/#StrictModes yes/StrictModes yes/' "$ROOTFS/etc/sshd_config"
sed -i -e 's/#PermitEmptyPasswords no/PermitEmptyPasswords yes/' "$ROOTFS/etc/sshd_config"
sed -i -e 's/#UsePAM no/UsePAM no/' "$ROOTFS/etc/sshd_config"
# Patch sshd.sh
#sed -i -e 's/`which sshd`/\/usr\/sbin\/sshd/' "$ROOTFS/etc/init.d/sshd.sh"
sed -i -e 's/\[ "${SUPPORT_SFTP}" = "0" \]/\[ `\/bin\/false` \]/' "$ROOTFS/etc/init.d/sshd.sh"
# Start sshd
SSHD=`find $ROOTFS/etc/rc.d/extensions.d -name '*sshd.sh' 2>/dev/null`
if [ "$?" -ne 0 ] || [ -z "$SSHD" ]; then
    show_info "Enabling SSHD service."
    cd "$ROOTFS/etc/rc.d/extensions.d" && ln -s ../../init.d/sshd.sh S99_sshd.sh
fi
}

do_fix_su_binary() {
show_msg "Fixing su binary"
mv "$ROOTFS/bin/su" "$ROOTFS/bin/su~"
cd "$ROOTFS/bin" && ln -s busybox su
}

do_correct_permissions() {
show_msg "Correcting permissions"
chmod 6555 "$ROOTFS/bin/su"
chmod 0644 "$ROOTFS/etc/profile"
}

do_correct_pam_modules() {
show_msg "Correcting pam modules"
cd "$ROOTFS/lib/security" && ln -s pam_unix.so pam_unix_auth.so
cd "$ROOTFS/lib/security" && ln -s pam_unix.so pam_unix_acct.so
cd "$ROOTFS/lib/security" && ln -s pam_unix.so pam_unix_passwd.so
cd "$ROOTFS/lib/security" && ln -s pam_unix.so pam_unix_session.so
}

do_add_executables() {
show_msg "Adding executables"
for ARCHIVE in `ls -1 $ROOT/data/*.tar.gz 2>/dev/null`;
do
    show_info "Adding from $ARCHIVE."
    tar --numeric-owner -p -xzf "$ARCHIVE" -C "$ROOTFS"
done
}

do_add_ssh_keys() {
show_msg "Adding ssh key"
SSH_DIR="$ROOTFS/root/.ssh"
AUTHORIZED_KEYS="$SSH_DIR/authorized_keys"
for KEY in `ls -1 $ROOT/data/*.key 2>/dev/null`; do
    show_info "Adding key $KEY."
    mkdir -p "$SSH_DIR"
    if [ -f "$AUTHORIZED_KEYS" ]; then
      echo "" >> "$AUTHORIZED_KEYS"
    fi
    cat $KEY >> "$AUTHORIZED_KEYS"
done
}

do_package_rootfs() {
show_msg "Package ROOTFS"
package_rootfs "$ROOTFS" "$OUTDIR/$ROOTFS_FILE_NAME"
pack_firmware "$OUTDIR" "$ROOTFS_IMG_NAME" "$ROOTFS_FILE_NAME" "$PASSWORD"
if [ -f "$OUTDIR/$ROOTFS_IMG_NAME" ]; then
    show_info "Opened ROOTFS image saved in $OUTDIR/$ROOTFS_IMG_NAME."
fi
}

main() {
echo "Opening stock firmware ROOTFS of $FIRMWARE."

FNAME=`basename $FIRMWARE`
FEXT="${FNAME##*.}"

do_prep_dirs
if [ "$FEXT" = "img" ]; then
    ROOTFS_IMG=$FIRMWARE
    ROOTFS_IMG_NAME=$FNAME
else
    do_unpack_firmware
fi
if [ ! -f "$ROOTFS_IMG" ]; then
    exit 1;
fi
do_unpack_rootfs
if [ -z "$PASSWORD" ]; then
    exit 1;
fi
do_extract_rootfs
do_remove_root_password
do_allow_root_login
do_add_ssh_keys
do_create_emergency_script
#do_fix_su_binary
#do_correct_permissions
#do_correct_pam_modules
#do_add_executables
do_package_rootfs

echo "\nDone.\n"
}

main
exit 0

上述LS系列使用到的固件:点击下载TS5000系列(需要ROOT)的固件下载:点击下载

初步判断,稍微小改代码即可对TS5000系列生效,欢迎讨论。

faninx 发表于 2015-9-6 13:36:04

我的LS421DE早卖了 不然还可以折腾下

swh485 发表于 2015-9-6 14:54:53

我用的就是LS421DE啊,不是早就可以ROOT了吗?都一个迅雷了。。。。

易璞 发表于 2015-9-7 11:49:46

faninx 发表于 2015-9-6 13:36
我的LS421DE早卖了 不然还可以折腾下

421DE我这边有现成的ROOT固件,隔壁的网友可以联系我发送{:7_187:}

易璞 发表于 2015-9-7 11:50:10

swh485 发表于 2015-9-6 14:54
我用的就是LS421DE啊,不是早就可以ROOT了吗?都一个迅雷了。。。。

这次是TS5400D啦,慢慢占领BUFFALO的高端品牌。

cnhnln 发表于 2015-11-28 22:30:45

马克一记

wujunan 发表于 2015-12-12 12:42:41

学习下,最近对BUFFALO感兴趣了

oldthree6289 发表于 2015-12-28 13:31:16

有时间折腾下,谢谢楼主

2011816 发表于 2018-8-2 19:51:45

需要ts5000root方法或root固件,谢谢

2011816 发表于 2018-8-2 20:08:59

易璞 发表于 2015-9-7 11:50
这次是TS5400D啦,慢慢占领BUFFALO的高端品牌。

发个TS5000系列固件给我
页: [1]
查看完整版本: 关于buffalo TS5000系列高端机器ROOT问题,思路已经有了