Digging deeper into the drive

Breaking into an Old Iomega Home Media Network Hard Drive (Cloud Edition) Part II

In part I of this tale I described how to take an Iomega HMNHDCE drive and gain telnet access.

In this, part II, I show how I got ssh to work so that I could move off using the insecure telnet connection, and how to upgrade the Debian 5.0 (Lenny) installation to Debian 6.0 (Squeeze), which — although it is also at the end of its lifespan — still has more security than the originally installed version.

Good things come in small packages

Debian Lenny is named after the walking binoculars from Toy Story

The Iomega firmware engineers installed a Debian Lenny version with the package manager completely mangled, so upgrades, updates, and new software installs don’t work. I am guessing they crippled it on purpose to prevent exactly what I am doing now.

This means you can’t install the openssh-server, or even a better editor than the one that is there, namely vi (which I can’t stand).

So the packet manager needs to be repaired manually, and there are no instructions out there on the web on how to do it.

As an aside — Debian software comes in packages, and there is a command called dpkg that handles replacing old software with new software. And then there are three things: aptitude, apt, and apt-get, that have a simpler command-line structure than dpkg to do this (but they all actually call dpkg to get the work done).

Because all the different software, programs, and libraries have complicated interdependencies, the package manager keeps a bunch of databases to track what you have, what you’ve downloaded and want to install, and how the install went.

It’s those things that were missing.

To the source

The first thing wrong is the sources.list file. This specifies the webservers holding copies of all the libraries and programs. Since the Iomega was release, the Debian Lenny packages have been moved to something called “archive”.

As a result, you need to edit /etc/apt/sources.list to be:

deb http://archive.debian.org/debian-archive/debian/ lenny main contrib non-free
deb-src http://archive.debian.org/debian-archive/debian lenny main contrib non-free
deb http://archive.debian.org/debian-security/ lenny/updates main contrib
deb-src http://archive.debian.org/debian-security/ lenny/updates main contrib
deb http://archive.debian.org/debian-archive/debian-backports lenny-backports main
deb http://archive.debian.org/debian-archive/debian-backports lenny-backports-sloppy main

You can do that with vi, but I don’t have the space to put a tutorial on that editor here. So I’m leaving it as an exercise for the reader.

Then there are a bunch of folders and files missing. These are meant to hold data on the upcoming installations and how things are progressing. In Debian Lenny the package manager is so old that if one or more of those files and folders is missing, it doesn’t create them, it simply throws weird incomprehensible and misleading errors (this was actually an ongoing theme for Lenny in other areas too).

So run these commands:

touch /var/lib/dpkg/status
mkdir -p /var/cache/apt/archives/partial
mkdir -p /var/lib/apt/lists/partial
mkdir -p /var/lib/dpkg/updates
mkdir -p /var/lib/dpkg/info
mkdir -p /var/lib/dpkg/alternatives
touch /var/lib/dpkg/alternatives/editor.dpkg-new
touch /var/lib/dpkg/diversions
touch /var/lib/dpkg/available
touch /var/lib/dpkg/status
touch /var/cache/apt/archives/lock
chmod 640 /var/cache/apt/archives/lock

A number of libraries are present when they should be symlinks to the most up to date one. This can be corrected by moving the offending libraries to a backup copy (always best to keep things in case something goes wrong):

cd /lib
mv libcgicc.so.5 libcgicc.so.5.bak
ln -s libcgicc.so.5.0.1 libcgicc.so.5
mv libgdbm.so.3 libgdbm.so.3.bak
ln -s libgdbm.3.0.0 libgdbm.3
mv libgdbm_compat.so.3 libgdbm_compat.so.3.bak
ln -s libgdbm_compat.3.0.0 libgdbm_compat.3

The list of users with superuser powers has the wrong file permissions, which can be corrected with:

chmod 0440 /etc/sudoers

Finally, shadow passwords are disabled, so enable them with:

/sbin/shadowconfig on

If I have been through my commands history file correctly, that should have the system in a state where updates and installs can finally happen.

And that means we can install secure shell for login, and close down that insecure telnet…

Where are you?

But first, to avoid reams of complaints about something called a locale, let’s set up the required software and configuration that says what language we are using and where we are:

apt-get install locales
locale-gen en_US.UTF-8
export LANGUAGE=en_US.UTF-8
export LANG=en_US.UTF-8
export LC_ALL=en_US.UTF-8
locale-gen en_US.UTF-8
dpkg-reconfigure locales

That last command is going to call up a white, black and pink screen (or is blue — I can’t remember), and you have to scroll all the way down the list and press space next to the en_US.UTF-8 option to get through this.

Doing the above stops the Perl scripting language to repeatedly complain about not knowing where it is.

Ssh: move quietly and break things

The server is installed with the following:

apt-get update
apt-get install openssh-server

The install should also cause the server to start running.

Note that you’re going to get warnings that the “keys” for verifying that the packages are valid cannot be found. Packages are digitally signed by their creators, but these are so old that the keys are out of date.

I spent some time trying to get updated keys, before giving up, as it seems that this distribution is so old that no one cares anymore.

Disable telnet by editing /etc/inetd.conf and put a # symbol in front of the line telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd.

Hang on, before you do that, make sure you check that ssh is actually working by logging out, and then logging in with ssh root@<your Iomega's IP address>

Speaking of which, you may want to give your Iomega a static IP address, so it’s always in the same place. You can actually do that from the web interface control panel, so I won’t put the details on how to do it from the command line here.

Can I still tend rabbits?

So, now we are going to upgrade from Debian Lenny to Debian Squeeze. Firstly, given that you have a working system, take a snapshot of it.

First check which partition is which:

fdisk -l

You should see something exactly like this:

So sda1 is the Debian partition, and sda2 is the actual data storage space on the disk. Actually, it’s automatically mounted at /nethdd, so you can go explore it with your shell.

But back to backups. We can actually back up the Debian partition to the data partition with the following command:

dd if=/dev/sda1 of=/nethdd/public/lenny.img

It’s only 4GB, and we have 980GB or so spare, so I decided to save time and processor power by not zipping the image.

Now if we mess up (and I did a couple of times) you can take the disk out of its case, connect it to your computer, and write the partition image back to the partition — see the previous article on backups for details on that.

And now, for the upgrade:

  1. edit all occurrences of the word lenny to squeeze in the /etc/apt/sources.listfile. There is this thing called sed, which stands for “stream editor”, that can do that automatically for you:
sed -i ‘s/lenny/squeeze/g’ /etc/apt/sources.list

That stuff in single quotes is called a regular expression, or regexp. If you want to lose a week of your life and go slightly mad, feel feel to go off and learn about it.

Personally, I learned enough to inspect regexp strings that do what I want and were created by others.

2. Get the updated packages:

apt-get update

The squeeze packages are now all downloaded and waiting for the upgrade to be completed.

3. Start the upgrade:

apt-get dist-upgrade

This takes a while, and you keep getting asked if you want to replace existing scripts with those of the package maintainer. I selected ‘Yes’ every time, because the old one’s are renamed, so you can always go back to them. But I haven’t had to yet.

In the end, a blue framed screen with an intimidatingly long warning pops up. Ignore it.

And that’s it. Debian Squeeze is in the house.

These two files show you what you’re running

Conclusion

The result of all of this is a reasonably secured free-standing Debian server with a decent sized disk that you can play about with.

If I feel like it, I may even produce a part III, showing you how to hack the built-in webserver to put your own web pages in the system and use your Iomega as a simple stand-alone webserver.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Keir Finlow-Bates

Keir Finlow-Bates

CEO and co-founder of Chainfrog Oy, a Finnish startup researching and developing advanced blockchain technologies.