Seagate Dockstar - Regain ssh access

In my previous post I mentioned that a newly purchased Dockstar tends to "phone home" and by making automated firmware upgrade, forbids ssh login with the default credentials root/stxadmin. In order no to make this happen, one can dedicate a separated subnet or even a distinguished switch to the Dockstar which is of course cumbersome in home environments where spare switches do not lay around everywhere.

In this post I first show how to regain ssh access without registering to the Pogoplug web service. Then we will permanently switch off the cloud service responsible for the nasty behavior (I should have done this in the first place). The first part requires some soldering as right now we only have the serial interface. This means that if you just bought the Dockstar, you better jump to the second part of this post and ensure the ssh access. This comes handy as well if you plan to change the factory default firmware afterward.

Serial console

As embedded boards do not necessary have any video output, a serial connection almost always exists mainly for debugging. Such basic access might come handy if all hell gets loose, and e. g. network connection becomes broken. On the Dockstar we find a 2x5 pin header on which we find the JTAG and serial connection. Here, the important pins are 8 (RxD), 9 (TxD) and 10 (GND).  If you are not familiar with this naming scheme, I suggest reading this Wikipedia article.

Important: the Dockstar serial port voltage levels are 0 to 3.3V, while RS-232 uses -12V to 12V which most likely will damage the board. Therefore never hook the Dockstar serial out to a PC RS-232 port! It is more versatile (and with the extinction of hardware RS-232 ports eventually necessary) to use a USB-serial converter. I used a FTDI FT232RL based board, however it is easier to use the data cable of some cell phones. There have been success reports with Siemens C55 and Nokia cables. The later is easier to develop, as most the USB-serial converter is already designed, but as I had the FTDI board, I stuck with that one. As for design considerations, there is an interesting concept in the second part of this post to close the upper cover of the Dockstar with the serial port remaining accessible. It would also be interesting to build the USB-serial electronics inside and connect it the top mini USB plug.

Now, we can either directly solder the corresponding lines or make a converter cable. It is important to hook up the lines in a crossed fashion: Dockstar RxD -- converter TxD and vice versa. GND is GND as always.

Now it is time to test the connection: open you favorite serial console program, such as putty, or Windows's built-in HyperTerminal. The serial port settings are 115200 baud, 8 data bits, no parity, 1 stop bit. If everything goes well, you will see Dockstar booting on the console after a power on. If this is not the case, check the connection, and the USB-serial converter settings.

Restarting ssh service

Dockstar uses Dropbear as ssh server, which is a lightweight server and client combined application. For further understanding it is important to know, that startup scripts are located in /etc/init.d. More specifically, rcS is being executed each time the device boots up. The other scripts in this directory are responsible for the services running on Dockstar. We are particularly interested in hbmgr.sh and dropbear.sh. The following lines can be executed via the serial console:

-sh-3.2# cd /etc/init.d

-sh-3.2# ls -1

db

dropbear.sh

hbmgr.sh

rcS

udhcpc_ra0.sh

hbmgr.sh is the cloud service startup script causing all the pain while dropbear.sh is the ssh startup script. Now we need to alter rcS to contain the later while removing the first one. In order to make this possible, we have to remount the root filesystem:

-sh-3.2# mount -o rw,remount /

And then editing rcS with a text editor such as vi. For vi, there are many good manuals on the internet,  here I only want to add that the vi on Dockstar starts up in command mode, therefore first we need to press 'i' in order to actually type in the file.

-sh-3.2# vi rcS

#! /bin/sh

mount -t proc none /proc
mount -t sysfs none /sys
mount -t devpts none /dev/pts
mount -t tmpfs none /tmp
mount -t usbfs none /proc/bus/usb
mkdir /tmp/var

echo "/tmp/core_%e_%t" > /proc/sys/kernel/core_pattern

hostname Pogoplug

ifconfig lo 127.0.0.1
ifconfig eth0 169.254.37.133
udhcpc -b `hostname`

#telnetd
/etc/init.d/db
ntpd -g
#comment out the following line

#/etc/init.d/hbmgr.sh start
#add the following line
/etc/init.d/dropbear.sh start

#/bin/mount -a

When finished, press ESC and then save with typing ":wq". 

Now it is time to reboot:

-sh-3.2# /sbin/reboot

and now Dockstar can be reached via ssh with the default root/stxadmin login which I suggest to change with the passwd command. As the cloud service engine was switched off, this will remain the case, so it is now safe to leave the Dockstar plugged on the network. An interesting side effect of the above procedure is that the LED will remain yellow even though the LAN link is up. 

Further investigation of hbmgr.sh reveals interesting pieces of information such as lines like "modprobe rt3070sta". I have no idea why this Ralink wireless chipset is included here...

Seagate Dockstar - Teardown

I ordered a Seagate Dockstar on ebay as a playground for some experimenting with OpenWrt. This device is particularly well-equipped compared to similar ARM-based NAS/routers with its 128MB DDR2 SDRAM and 256MB Flash. Sadly though, the original purpose of the Dockstar seems badly established: your local NAS can only be managed through a web interface on dockstar.pogoplug.com, with local management support completely missing. I am not really happy with this option as I do not believe that it is safe at all.

Nevertheless the hardware is a state-of-the-art ARM-based board equipped with 4 USB 2.0 ports and gigabit Ethernet interface and strong enough to even support standard linux distributions. Debian and Gentoo have already been successfully installed. 

The box itself is nicely designed, the board is in a modern-look minimalistic box. The miniUSB port on the fits in some Seagate's external harddrives, however some third party boxes can be used, too, it takes only a ruler to figure it out.

Important!

Before going any further: NEVER ever connect the Dockstar to a network with public internet access. According to many reports it tends to "phone home", that is making automated software updates. This is a problem because the ssh access gets disabled and only serial console remains. This actually happened to me so consider this issue confirmed! Preventive measures include either a separate switch or subnet dedicated to the device or manually disabling routing to Dockstar on the gateway.
Update: I managed to resolve the problem, ssh access is regained. For details, jump here.

An inside look

Anyway, let's look inside! The top part of the casing holds with eight claws (two each side). After popping it off, the connector of the top mini USB port has to be removed, and the entire PCB becomes accessible. Below there are the main circuits on the two sides of the PCB that I pinpointed and figured out their purpose. For everyone who likes to visualize things, I have  also spotted them on the high-res PCB photos.

Top layer:

• Marvell Kirkwood 88F6281 ARM926 compatible SoC;
• Nanya NT5TU64M16DG-AC 128MB DDR2 SDRAM;
• Two Marvell dual switching power supply circuits.

On this layer we also find the dual LED, the reset button and the UART/JTAG service header. The supply input is a standard single pin connector with the center pin positive and the shield negative. The factory provided external power supply brick outputs 12V 2A. The serial/JTAG header pitch is 2.0mm, a rarely used standard, however available at most distributors.

Bottom layer:

• Marvell Alaska 88E1116R Gigabit Ethernet PHY;
• Micron 29F2G08AAD 256MB Flash;
• Genesys GL850G 4way USB 2.0 hub;
• Atmel AT24C02B I2C EEPROM;
• Monolithic MP8708 switching power supply;
• Marvell 88PG8227 dual switching power supply.