Introduction

This document describes in depth how to prepare your Buffalo LinkStation for installing NetBSD/sandpoint. In this example we use a LinkStation HD-HLAN, which is the same board as a classic KuroBox. The software installation instructions are valid for the whole LinkStation/KuroBox family:

  • LinkStation HD-HLAN (LS1/PPC)
  • LinkStation HD-HGLAN (Gigabit ethernet)
  • TeraStation HD-HTGL
  • TeraStation Pro TS-TGL
  • KuroBox classic (HD-HLAN board)
  • KuroBox HG (HD-HGLAN board)
  • KuroBox/T4 (TS-TGL board)
HD-HLAN front view

Accessing the serial interface

We need a serial console to get access to the firmware. That includes soldering a four pin header onto the board and building (or buying) a serial adapter from the LinkStation's TTL levels to RS232 levels.

Disassemble the HD-HLAN

Unfortunately the LinkStation was not meant to be opened by customers, so Buffalo didn't make it easy. On the top and bottom of the case there is a small tab besides the grey frame, which you have to press down (e.g. with a screwdriver) to be able to move the frame to the front. On the photo below the location is marked red.

KuroBox with tab marked

After a few millimeters the grey piece snaps free and comes up. You need quite some force to do that, because the shiny front bezel is secured by two hidden screws (one in the top and another in the bottom of the bezel). With enough force and skill you may be able to tear the screws out of the case (fortunately the screws are small). They remain in the shiny bezel. You may want to shorten the screws with a file now.

HD-HLAN half opened

Before the case can be opened you have to remove a screw hidden under a sticker, below the fan (marked on the right side of the picture). Then press the four tabs on the top and bottom to remove the upper half of the case. Remove another four screws to be able to lift the board.

Locate the serial header

Look out for a 4-pin header, called J1, which is usually unpopulated. The pin assignments are:

Pin number Function
1 TXD
2 RXD
3 3.3V
4 GND
Header pin assignments

Solder the missing header and enable write access

I would suggest to solder the 4-pin header on the back side of the PCB, because it is better accessible when opening the case. It is advisable to use an angled header to avoid problems closing the case. You also have to bridge R76, which is unoccupied. This is needed to enable write-access for the serial console. You may want to mark pin 1 of the header, before installing the board again.

Soldered header Bridging R76

Connect a serial cable

The serial port on LinkStation and KuroBox devices is using 3.3V TTL levels, which have to be converted into regular RS232 levels by a level shifter circuit. If you are not anxious using a soldering iron you find detailed instructions how to build such a converter here:

Make sure that the layout of the plug fits to the pinout of the LinkStation's serial header, as shown above.

Another option is to buy such a converter. There are solutions for a standard RS232 interface and for an USB interface. Look out for:

Now you can connect with any terminal program to the LinkStation's serial console. The easiest approach may be to use NetBSD's tip(1) command to make a direct console connection at 57600bps.

# tip -57600 console

Note that when using a serial connection via USB you may have to make an entry for /dev/ttyU0 in /etc/remote.

Replace the firmware with U-Boot

The LinkStations run with a proprietary firmware, which doesn't give you any control about the boot process. So our next step is to replace it with U-Boot.

Getting root access

We need root access on the vendor's Linux installation to be able to flash a new firmware. Without the original disk it will become much more difficult. You would either have to find a way to install the system onto a new disk with the help of a second machine, or use the JTAG port to flash the new firmware directly into the chip (in the last case you can skip all sections until the section called “First installation” ).

For the KuroBox you can skip this section. The root password is known to be kuro. Also telnet access is enabled. The default IP of the KuroBox is 192.168.11.150.

Make a new user over the LinkStation's web interface. We can use it to log in over the serial port.

Add a new user on the GUI

Log in into the new account and create a CGI file under /www which makes /etc/passwd writeable for all users.

BUFFALO INC. Link Station series HD-HLAN (HIDETADA)

BUFFALO login: Besucher
Password: 
Linux (none) 2.4.17_mvl21-sandpoint #990 2004xxxx 13:39:00 JST ppc unknown
Besucher@BUFFALO:~$ mkdir /www/cgi-bin3
Besucher@BUFFALO:~$ vi /www/cgi-bin3/exploit.cgi

exploit.cgi should look like this:

#!/bin/sh
chmod 666 /etc/passwd

Then enter the URL http://mylinkstation/cgi-bin3/exploit.cgi into your browser. When all went well, /etc/passwd is writeable now. Edit it with vi and copy your user password (/Jg58Gq9427qY in this example) over the current root password. Now you can log in with the same password into the root account.

root:dwqa1LabM8BgA:0:0:root:/root:/bin/bash
bin:*:1:1:bin:/bin:
daemon:*:2:2:daemon:/usr/sbin:
sys:*:3:3:sys:/dev:
adm:*:4:4:adm:/var/adm:
sync:*:6:8:sync:/bin:/bin/sync
shutdown:*:7:9:shutdown:/sbin:/sbin/shutdown
halt:*:8:10:halt:/sbin:/sbin/halt
operator:*:12:0:operator:/root:
ftp:*:15:14:ftp:/usr/sbin:/bin/false
nobody:*:99:99:nobody:/home:/bin/sh
Besucher:/Jg58Gq9427qY:101:1000::/home:/bin/bash

The CGI exploit, which I described above, probably does not work with all Linkstation firmware releases. It may fail with versions after 1.45. I was able to do it with 1.47 though. An alternative to this method would be to connect the hard disk to a second machine, which can mount the Linux file system, and replace the root password there.

Flashing U-Boot

To transfer the new firmware onto the LinkStation we first have to configure FTP access (already enabled for KuroBox). Enable the server and allow write access for registered users to the shared folders (e.g. share).

Enable FTP access with the GUI

Get an appropriate U-Boot firmware image from http://www.genbako.com/u-boot_loader/ (URL is obsolete, use copies below):

Transfer the firmware into the share folder on the LinkStation.

$ ftp mylinkstation
Connected to 192.168.0.9.
220 BUFFALO FTP server ready
Name (192.168.0.9:user): Besucher
331 Password required for Besucher.
Password: 
230 User Besucher logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd share
250 CWD command successful.
ftp> put u-boot-hd.flash.bin
local: u-boot-hd.flash.bin remote: u-boot-hd.flash.bin
229 Entering Extended Passive Mode (|||1045|)
150 Opening BINARY mode data connection for u-boot-hd.flash.bin
100% |***********************************|   170 KiB    6.07 MiB/s    00:00
ETA
226 Transfer complete.
174640 bytes sent in 00:00 (4.86 MiB/s)
ftp> quit

The next step is dangerous. Any fault, like a wrong firmware or an interrupted flashing process, will turn your LinkStation into a brick.

The boot loader firmware can be accessed from Linux through /dev/fl2. There is no dd so we will use cat. Log in as root on the serial console, go to the shared folder where we uploaded the new firmware and flash it.

root@BUFFALO:~# cd /mnt/share
root@BUFFALO:/mnt/share# ls -l
total 176
-rw-rw-rw-    1 Besucher hdusers    174640 May 13 15:43 u-boot-hd.flash.bin
root@BUFFALO:/mnt/share# cat u-boot-hd.flash.bin > /dev/fl2

The Diag and Disk Full LEDs will flash red during this process. This is normal. After a few seconds the LEDs are off again and the prompt returns. To make sure the process was successful, you should reread the firmware from the flash and compare it with the original. Therefore you have to download the new image, as this Linux installation also got no cmp.

root@BUFFALO:/mnt/share# cat /dev/fl2 > /mnt/share/newfl2

Here the downloaded image differs at character 174641. But that is ok, because the firmware is only 174640 bytes large and we downloaded the whole flash contents.

$ cmp -l newfl2 u-boot-hd.flash.bin
cmp: EOF on u-boot-hd.flash.bin: char 174641, line 891

Reboot your LinkStation and cross fingers. When all went well, the following lines will appear on your serial console:

U-Boot 1.1.4 LiSt 2.1.0 (Sep 21 2006 - 00:22:56) LinkStation / KuroBox

CPU:   MPC8245 Revision 1.4 at 196.608 MHz: 16 kB I-Cache 16 kB D-Cache
DRAM:  64 MB
FLASH:  4 MB
*** Warning - bad CRC, using default environment

        00  0b  1317  0985  0200  ff
        00  0c  1095  0680  0101  ff
        00  0e  1033  0035  0c03  ff
        00  0e  1033  0035  0c03  ff
        00  0e  1033  00e0  0c03  ff
Net:   COMET#0

This precompiled U-Boot defaults to the netcat console. So we have to wait about 20 seconds before an error is printed and the console returns to serial.

next_cons_choice: Unexpected code: 0x33
stdin :   serial
stdout:   serial
stderr:   serial
IDE:   Bus 0: OK 
  Device 0: Model: SAMSUNG SP1604N Firm: TM100-30 Ser#: S013J20XC0xxxx
            Type: Hard Disk
            Supports 48-bit addressing
            Capacity: 152627.8 MB = 149.0 GB (312581808 x 512)
Boot in 08 seconds ('s' to stop)...

Here you should press s to stop booting and change some environment variables to make U-Boot default to serial.

=> run ser
=> setenv bootcmd
=> setenv bootdelay -1
=> saveenv

Enter reset to reboot into interactive mode with serial console. At this point we no longer need the original Linux installation and we are ready for NetBSD.

First installation

The altboot bootloader

The altboot(8) program functions as a bridge between the U-Boot firmware and the NetBSD kernel startup environment. NAS firmware often provides no means to boot a kernel from disk or from the network and doesn't initialize all hardware correctly. We will also use it to pass a bootinfo list to the kernel.

The altboot boot loader has to be loaded and started using U-Boot. For the first installation we have to load it over the network with TFTP protocol, using the command tftpboot. Later we can put altboot into the flash memory and copy it from there.

When not already done, enable TFTP on your working system in /etc/inetd.conf and restart inetd. Then copy altboot.bin from the sandpoint distribution into /tftpboot. On the LinkStation we have to tell U-Boot its client address and the tftpd server address. Our working system's server address is 192.168.0.5 in this example, and the LinkStation is at 192.168.0.102.

=> setenv ipaddr 192.168.0.102
=> setenv serverip 192.168.0.5
=> saveenv
Saving Environment to Flash...
Un-Protected 1 sectors
Erasing Flash...
Flash erase: first = 54 @ 0xfff60000
             last  = 54 @ 0xfff60000
Flash erase: Done
Erased 1 sectors
Writing to Flash... done
Protected 1 sectors

Load altboot.bin into memory. The binary is relocated at 0x1000000, so type:

=> tftpboot 1000000 altboot.bin
Using COMET#0 device
TFTP from server 192.168.0.5; our IP address is 192.168.0.102
Filename 'altboot.bin'.
Load address: 0x1000000
Loading: ##############
done
Bytes transferred = 70844 (114bc hex)

Boot the INSTALL kernel with altboot

Now you can use altboot to launch the netbsd-INSTALL_KURO kernel for installing NetBSD. It is important to take netbsd-INSTALL_KURO instead of netbsd-INSTALL, because LinkStation and KuroBox systems have the UARTs swapped, i.e. they are using the second UART for the serial console. You may choose to load the installation kernel with TFTP or from NFS. TFTP was described above and for NFS there is a documentation at The Network File System. But in both cases you have to set up a DHCP server, which is explained in the DHCP Howto. An appropriate dhcpd.conf entry could look like this:

        host linkstation {
                hardware ethernet 00:07:40:xx:xx:xx;
                fixed-address 192.168.0.102;
                next-server 192.168.0.5;
                option root-path "/export/linkstation/root";
        }

The root-path option is only needed when using NFS and should match your exported NFS directory. Uncompress netbsd-INSTALL_KURO.gz from the NetBSD/sandpoint distribution and copy it into the NFS or TFTP directory. Then start the DHCP, NFS or TFTP server and boot the installation kernel from the firmware either with

=> go 1000000 tftp:netbsd-INSTALL_KURO

or from NFS:

=> go 1000000 nfs:netbsd-INSTALL_KURO

Our bootloader configures the hardware, determines the IP address, loads the kernel via network and launches it:

## Starting application at 0x01000000 ...

>> NetBSD/sandpoint altboot, revision 1.5 (Fri Feb 18 23:21:15 CET 2011)
>> KuroBox, cpu 195 MHz, bus 97 MHz, 64MB SDRAM
channel 0 present
wd0: <SAMSUNG SP1604N> DMA LBA LBA48 152627 MB
wd0: no disklabel
MAC address 00:07:40:xx:xx:xx
100Mbps-FDX
loading "netbsd-INSTALL_KURO" 5142988+110988=0x502f98
entry=0x00090000, ssym=0x00592b58, esym=0x00592f98
ksyms: Symbol table not found
ksyms: String table not found
ksyms: Perhaps the kernel is stripped?
Copyright (c) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005,
    2006, 2007, 2008, 2009, 2010, 2011
    The NetBSD Foundation, Inc.  All rights reserved.
Copyright (c) 1982, 1986, 1989, 1991, 1993
    The Regents of the University of California.  All rights reserved.

NetBSD 5.99.45 (INSTALL_KURO) #0: Thu Feb 10 11:36:46 UTC 2011
    builds@b6.netbsd.org:/home/builds/ab/HEAD/sandpoint/201102100300Z-obj/home/builds/ab/HEAD/src/sys/arch/sandpoint/compile/INSTALL_KURO
total memory = 65536 KB
avail memory = 57984 KB
OpenPIC Version 1.2: Supports 1 CPUs and 26 interrupt sources.
mainbus0 (root)
cpu0 at mainbus0: 8245 (Revision 0.4), ID 0 (primary)
cpu0: HID0 0x90c000<DOZE,DPM,ICE,DCE>, powersave: 1
eumb0 at mainbus0
com0 at eumb0 unit 1: ns16550a, working fifo
com0: console
ociic0 at eumb0
iic0 at ociic0: I2C bus
rs5c372rtc0 at iic0 addr 0x32: RICOH RS5C372[AB] Real-time Clock
satmgr0 at eumb0 unit 0: button manager (kurobox)
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0
pchb0: vendor 0x1057 product 0x0006 (rev. 0x14)
tlp0 at pci0 dev 11 function 0: ADMtek AN985 Ethernet, pass 1.1
tlp0: interrupting at irq 16
tlp0: Ethernet address 00:07:40:xx:xx:xx
ukphy0 at tlp0 phy 1: OUI 0x00e092, model 0x0001, rev. 1
ukphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
cmdide0 at pci0 dev 12 function 0: Silicon Image 0680 (rev. 0x02)
cmdide0: primary channel wired to native-PCI mode
cmdide0: using irq 17 for native-PCI interrupt
atabus0 at cmdide0 channel 0
cmdide0: secondary channel wired to native-PCI mode
atabus1 at cmdide0 channel 1
ohci0 at pci0 dev 14 function 0: vendor 0x1033 product 0x0035 (rev. 0x43)
ohci0: interrupting at irq 19
ohci0: OHCI version 1.0
usb0 at ohci0: USB revision 1.0
ohci1 at pci0 dev 14 function 1: vendor 0x1033 product 0x0035 (rev. 0x43)
ohci1: interrupting at irq 19
ohci1: OHCI version 1.0
usb1 at ohci1: USB revision 1.0
ehci0 at pci0 dev 14 function 2: vendor 0x1033 product 0x00e0 (rev. 0x04)
ehci0: interrupting at irq 19
ehci0: companion controllers, 3 ports each: ohci0 ohci1
usb2 at ehci0: USB revision 2.0
biomask 8000038 netmask 8000038 ttymask 8000038
uhub0 at usb0: vendor 0x1033 OHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub1 at usb1: vendor 0x1033 OHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub2 at usb2: vendor 0x1033 EHCI root hub, class 9/0, rev 2.00/1.00, addr 1
wd0 at atabus0 drive 0: <SAMSUNG SP1604N>
wd0: 149 GB, 310101 cyl, 16 head, 63 sec, 512 bytes/sect x 312581808 sectors
boot device: tlp0
root on md0a dumps on md0b
root file system type: ffs
erase ^H, werase ^W, kill ^U, intr ^C, status ^T
Terminal type? [vt100]

Just follow the usual procedure to install a NetBSD system.

Sandpoint installation window

Post installation steps

After a successful installation you want to make the system boot standalone when switched on, without the need for a serial console. So you have to modify the bootcmd in U-Boot's environment and write the altboot.bin binary to the Flash ROM.

On the LinkStation and KuroBox the last 128K or the Flash ROM are known to be unused, so we can put altboot there. Load altboot.bin into memory at 0x1000000 again, as explained above, and execute the following commands to write it to Flash ROM:

=> protect off fffe0000 +20000
Un-Protected 9 sectors
=> erase fffe0000 +20000

Flash erase: first = 62 @ 0xfffe0000
             last  = 70 @ 0xffffe000
Flash erase: Done
Erased 9 sectors
=> mw.b 1000000 ff 20000
=> tftp 1000000 altboot.bin
Using COMET#0 device
TFTP from server 192.168.0.5; our IP address is 192.168.0.102
Filename 'altboot.bin'.
Load address: 0x1000000
Loading: ##############
done
Bytes transferred = 70844 (114bc hex)
=> cp.b 1000000 fffe0000 20000
Copy to Flash... done
=> cmp.b 1000000 fffe0000 20000
Total of 131072 bytes were the same
=> protect on fffe0000 +20000
Protected 9 sectors
=> reset

Finally adapt the bootcmd environment string to autoboot altboot and start the netbsd kernel (which is the default name) from wd0 on each reboot:

=> setenv bootcmd cp.b fffe0000 1000000 20000\; go 1000000 wd0:netbsd
=> setenv bootdelay 3
=> saveenv

The \ is important for setenv not to misinterpret the ; as the end of the command.

Have fun with your mini NetBSD server!