NAS Forum

Techman,

Each MvixBox has a unique serial number that must be somewhere on the flash. I think its possibly embedded in the bootloader and if so it explans why Mvix flatly refuses to co-operate in unbricking efforts by its customers.

Maybe the key here is to find the address of the serial number and how its addressed by firmware and updates. I hope its not encrypted in some way.

Aquar

Just my 2 cents:

the bootloader itself should not contain any uniqe (serial no. / mac) or box-specific information. Otherwise a MD5 check would not be possible.

Means: Bootloder should be universal. (Incl. protection mechanisms)

Greetz

Hi Snoopy,

What you say about the MD5 check is of course true.

I don't yet have a JTAG breakout box so I can't really do anything other than guess at the moment.

I do only suspect the bootloader on the MvixBox is unique to each machine. Once you try and unbrick it by flashing with a more normal redboot loader, then the Mvix Firmware fails to load and you are left with other firmwares from companies that use this hardware.

It would be really great to confirm this. Maybe if MvixBox owners could dump a copy of their bootloader and then we can compare MD5 hashes. Its on my agenda for the MvBUG usergroup (when we have a few more expert members).

Aquar

Hi Snoopy,



One of the MvBUG members did a hash check of the MvixBox bootloader and compared it to the Open Gimini Bootloader found here. And the hashes are of course the same just as you thought.



Techman said you put in the MAC address via the bootloader except you put in the serial number instead. At least thats what I think he is saying.

Where then is the MAC address stored on the flash?



Cheerio,

Aquar

Hi Aquar,

Great! So the bootloader should work 4 YOU.

When u use the flash tool (thx to HWguru) the bootloader is flashed first of all and after that You´ll be asked for the MAC Adress (use the one that is on the sticker on the backside of the NAS, or where ever it is written).

So the MAC is changed right after flashing. Thats what I wrote (between the lines) in the prev. comment in this threat. If the MAC is changed BEFORE flashing it the hash would change and a checksum check would not work at all, because it is performed at the beginning of the flash process.

After flashing the BL and change of MAC Your NAS schould be reachable again, so You can flash one of the suitable firmwares.... and Done.

Greetz
Snoopy

Hi Snoopy,



That all makes perfect sense to me, and as a result flashing the Edimax, Planex or Digitus firmwares together with the bootloader should work just fine on the MBox. And indeed his has been done.



I must admit I always thought that the MAC address was hard coded, and therefore I formed an opinion that the request to enter it after flashing the bootloader was due to a security check.



Techman said that for the Mvix firmware he entered the serial number instead of the MAC address. This may have few implications 1) the serial number can be changed and its not supposed too 2) how is the MAC address taken care off during the flashing and 3) would not there be a conflict if just a non Mvix firmware is flashed because it would see a serial number instead of a MAC address.



Guess I am still confused and not understanding the Mvix serial number issue. I am not aware that anyone has been able to flash back to the Mvix Firmware after trying one of the others (hence I am not game to try it).



Mayby you or HwGuru can help clarify the process a bit more.



Cheerio,



Aquar

Hi Aquar,

1.) Yes, the MAC can be changed. Of cours it is not fixed - why should it
2.) You flash via JTAG (directly @ processor) or serial. Therefore You wont need any MAC or IP. Thats why flashing via JTAG or serial connector is MAC free.
3.) I would not enter a serial instead of MAC. But actually I just do not know where to fill in the serial. You are sure You´ll really need to do so? Maybe the serial is aked after installing the firmware and the serial is somehow computed from the MAC and some Hardware Information. I do not think that the bootloader itself is protected.

Maybe the Mvix support can clarify that? The question is, when and how the serial shoud be typed in and how it is computed. If we have those information we could have a closer look at the serial procedure and how it could be bypassed (if You want that).

Greetz
Snoopy

Hi Snoopy,

Biggest problem is that I am a Noobie when it comes to knowing how these NAS devices generally initialise on startup. And then on top of that is that Mvix have chosen to be non standard in this area..

When I started MvBUG (Mvixbox User Group) it was simply to set up a mechanism for people to get together to help each other with firmware and unbricking issues. This in turn because Mvix refuses to help and have totally washed their hands from this product.

I asked HWGuru for some help in facilitating MvBug and he created our sub-forum. Now MvBUG is growing steadily but we are yet to make any inroads to help ourselves. I guess most join in frustration and are really Noobs as well, but we are improving our grasp on these NAS boxes a little bit at the time.

I try to work it out by soliciting for info from anyone that has experience. Trick is not to become a pain whilst asking questions that are obvious to the gurus.

I just wanted to provide this bit of background simply to avoid being seen as a nuisance here in this persuit.

Anyway any help to work out this serial thing would be greatly appreciated.

Like all these NAS boxes the MBox firmware is loaded up via a setup program.
When you run the setup executable it asks for the serial number to be entered before it will continue.
The MBox comes with the 8 MB flash pre-flashed with of course the redboot bootloader but also a micro kernel the FIS directory etc. The setup exe will load the rest of the kernel on the HDD and software to operate the NAS.
Without a HDD installed you get a CGI page of information like the firmware version installed on the flash.
From the CGI page you can flash with a patch file to upgrade the flash firmware contents. When you do that it also asks for the serial number before it proceeds. Note: this patch file is not publicly available from MVIX to its MBox users.)
With this SN number not held in the bootloader and the firmwares also being hash verifiable, it is a real difficult issue for us to try to work out how the serial number is processed. My next guess is probably similar to the way the MAC address is stored and located.
That's the milestone information that I am trying to get to. Because if we know how to deal with the serial number we also are much closer to unbricking a bricked MBOX with MVix firmware, rather than the other firmwares applied to this hardware.

Cheerio,

Aquar

Hi Aquar,

thx for the detailled background information. In deed it makes a little bit more understandable whats the problem with the SN.

Well this SN proceedure is a simple way to protext the firmware from beeing ripped for any other NAS. I think thats why the guys who created it put in the SN request.

The problem is that noone of You owns such a SN? Right? If you would have one you just could type it in and the FW would be flashed correctly.

Well first of all it is clear now, that You type in the MAC adress in the first step: flashing the bootloader. If someone would have a working MAC - SN combination you could try to share that among your community. I do not think that FW developers created a single usage procedure (it would require an online activation).

If theres no SN at all it makes the thing a lill mor difficult. PProbably the best way is to know the algorithm that computes the SN from the MAC (and some Hardware information - that should be the same among all the Mvixboxes). From that you could then create the SN that you could type in in the second etep: FW flashing. But it is really hard to reengeneer that. The better way is to find out where in the installation file the SN procedure is called and to overrun that.

As I understand you, there is an executable file, you run on your windows machine (exe). That exe calls the flash procedure after prompting the SN dialog. Right?
Maybe there is a way to start flash procedure without running the exe?

Actually I do not own such a device - otherwise I could check that by my self. So it is up to You

Maybe you can giove me a link on the FW package you will flash? May be theres a way of debugging it and find out how to bypass or overrun the SN request

Greetz Snoopy

But remember, it is not allowed to do so in several countries. I have to point that out because of preventing you from trouble. So please check the legal situation in your country before.G

Hi Snoopy,

I'll have to carefully read your response to fully grasp what you are saying.

Most of the MvBUG members have an MBOX, and thus they have the serial number (printed on the bottom of their NAS box).
The problem is that when this NAS box is truly bricked and needs reflashing with a new bootloader, no-one has been able to unbrick them back to MVix firmware. The serial number seems to be lost forever in the process.

There was one chap CSTAMAS (a member here) who might know a bit more, but I have not been able to contact him.

We can load other firmwares like for example the Planex one because these procedurally conform, ie work with Alfred's flasher program etc.

If you are right in the idea that there is an algorithm that generates a serial number from the MAC address, then knowing both should allow the flashing via the setup exe, once the bootloader is flashed by JTAG, followed by telnetting into the bootloader to configure the MAC address. Except for one thing, there is nothing in flash yet to execute any firmware to generate the SN (except the bootloader).
We know the bootloader isn't MVix specific so that only leaves the setup.exe itself to generate the SN code.
I don't know if the setup program even works when the flash memory is "empty", but it would be interesting to experiment along these lines by someone with a bricked MBox. The setup program also provides just an incremental upgrade path, so you would need to get hold of the base level setup program. Like I said this thing comes with pre-installed firmware on the flash (feels like the chicken and the egg question).

I did buy a second MBox for experimentation. But first I need to get to know a bit more about what I am doing before I potentially destroy a perfectly working NAS unit. And I still don't have a JTAG Serial to USB device (only can get them on Ebay, but I have no Paypal).

In most countries, including Australia, we are not allowed to override software protection.
That said, all of the stuff on this NAS device is GPL derived. Nothing on it warrants it to be closed sourced or protected.
MVix are breaking the GPL terms and conditions by refusing to open source "their" GPL sourced firmware/software.
In fact they are very dogmatic in ignoring GPL terms and conditions and even more so in ignoring their customers when in trouble with their products.

Essentially the serial number has only one purpose for being there. That is, the NAS configuration GUI is accesible to eveyone on the internet via its DDN connectivity. Of cource you need a password to gain entry as a user or administrator, and then any critical changes requires the correct serial number to be entered on top of that (could just as easily be the MAC address!). There is nothing wrong with this added level of protection, its just the implementation of it is terrible and has these unwanted repercussions in unbricking these things.

So, maybe it is to do with firmware protection against piracy, maybe it is just intended protection against unauthorised users trying to be malicious, maybe I think its just Mvix not being consumer oriented (ie Nasty!), or maybe I am overlooking a simple solution.

Cheerio,

Aquar

Hi there,

its pretty clear what the serial is for: Some kind of protection against FW ripping. In deed a huge amount of (nearly) identical Hardware is offered (mostly from chinese manufacturers). Creating a firmware is a pretty expensive job. Thats why it may be for protecting against usage on another NAS.

Where can I get the FW? Just to have a look at it. And of course the Installer exe.

May be we can override the f***ing Serial-procedure.

Greetz

Hi Snoopy,



All firmwares and the setup programs for the MVixBox are here http://www.mvix.net/forum/forum_topics.asp?FID=27&PN=1



It appears that you can re-flash the kernel image to the Flash memory with TFTP via the Redboot command menu. No serial is referenced and everything still works. Looks like then that the setup program (and by implication the HDD held firmware) are responsible for the SN request/generation.



I'll be getting an FTD based USB to serial adapter next week to do some hands on experimentation.



I got "confused" reading the RedBoot user documentation as there were only references to a CLI interaction. Seems that the RedBoot bootloader compiled for the Storlink CPUs is a special. These tangents make it hard to progress the learning process but I hope to be able to write a simplified WIKI for how the MVixBox initialises and how to Unbrick it.



Cheerio,



Aquar

Hi Aquar,

I just had a short look on the Installer. Yes, the SN procedure is called there. The firmware itself is for the first view unprotected. So a quick´n simple solution should be in calling the FW directly, without using the installer. Thts what You can do with serial - but I guess theres a way via the config. I´ll check that today.

Cheers!
Snoopy

Hi Snoopy,





Interesting, I guess the same SN procedure call is in both, the flash image and the "HDD" setup program, firmware files.



If I get it so far, I think we can restore the flash contents without the need for a SN via serial, and you can then run setup as long as you have entered the original MAC for which you have a matching SN. That would be excellent for MvixBox owners that have bricked their box. Not so good yet for others that have this hardware from a different vendor but fancy this firmware.



Not sure if you can telnet into a functioning bootloader via TCP/IP. If true then a partially bricked box could be recovered without opening the box and special hardware.





Thanks so much for your efforts in helping us out with this.



Cheerio,



Aquar