trejan.com - Buffalo TeraStation/LinkStation Firmware Image Passwords

TeraStation/LinkStation Firmware Image Passwords

The HD images inside the firmware updates for the TeraStation and LinkStation are gzipped tars of the files inside an encrypted zip file.

If you want to create your own custom firmware image or get root access on a firmware version that has the holes fixed then you will need to do the following. This is just a guide to how to unpack the HD image and then repack it. The actual modifications are up to you.

This is NOT the root passwords for any of the firmware versions. The root password is not important since you are able to replace the hash in /etc/passwd for root with whatever you want once you gain access. The passwd file isn't overwritten during firmware upgrades so you will need to create a SUID shell or a /etc/sudoers file in your custom firmware image.

I've only tried this for my TeraStation and v1.07β firmware but it should be the same steps for other versions and the LinkStation.

Please be thoughtful for Buffalo however and don't try to return TeraStations/LinkStations you've killed with a bad custom firmware however as you're not meant to hack them at all. If you want to experiment then buy a Kuro Box. We don't want annoy Buffalo enough to implement a stronger security system regarding firmware upgrades.

Don't try to edit the filesystem image under Windows. If you unpack it and then repack it you'll break the image since the symbolic links and device files won't be created properly. You have to do it under Linux or your favourite *NIX like OS. In theory it should be possible under Mac OS X but I've not tried it. You must also have root access to be able to create the device files.

Steps

Become root
Unzip image.dat with the correct password for the firmware version
Untar it into a clean directory
Do whatever changes you want
Tar & gzip it back up and make sure the resulting file is called tmpimage.tgz
Rezip it with the same password as before and overwrite image.dat from the firmware upgrade
Apply the firmware upgrade

Commands

# Become root
unzip image.dat
# Look up the password
mkdir image
cd image
tar zxvf ../tmpimage.tgz
# Do whatever it is you need to do
tar zcvf ../tmpimage.tgz *
cd ..
zip -e image.dat tmpimage.tgz 
# Type in the previous password twice

Passwords

The TeraStation and v2.x LinkStations use a different password and there are actually 4 possible ones it can use. It is unknown whether v1.x LinkStations have more than one password currently. Try the passwords in order. You must remember which one you used.

Firmware Version	Zip file password
Linkstation v1.x firmware	`NFM_TUPSBHFNFM_TUPSBHF`
Terastation & Linkstation v2.x firmware	`1NIf_2yUOlRDpYZUVNqboRpMBoZwT4PzoUvOPUp6l`
	`aAhvlM1Yp7_2VSm6BhgkmTOrCN1JyE0C5Q6cB3oBB`
	`YvSInIQopeipx66t_DCdfEvfP47qeVPhNhAuSYmA4`
	`IeY8omJwGlGkIbJm2FH_MV4fLsXE8ieu0gNYwE6Ty`

The TeraStation passwords were worked out by Sec on the terastation.org wiki and the LinkStation v1.x password was worked out by miket at sowbug.org.

Change Log
v1.0	Initial version.