The Life of a Sysadmin

At last! Paul has turned out to be a great help: he successfully hooked up a serial port to his NWR04B today and was able to get a shell on there. And after getting a lot of help from a couple coworkers of mine (thanks, Jim and Wayne!), I was able to duplicate his success! The embarrassing part is that it turns out the main reason I wasn't seeing anything from the serial port is that I wasn't powering the damn chip. For some reason I figured that the 3232 (from the good folks at Sipex Heavy Manufacturing Concern) would draw power from the serial port, or the board itself, or, I don't know, the luminiferous ether that surrounds us all. Jim set me straight on that. Quick transcript:

Got the 6HYNIX_16bits Flash ROM ADM5106 Boot: NetMall System Boot Copyright 2002 ADMtek, Inc. CPU: ADM5106 Home Gateway Processor POST Version: 2.00.0176 Creation Date: 2003.07.10 Press <space> key three times to stop autoboot... 0 Verifying product code......PASS Boot Product Code!!! DHCPS:DHCP Server Started. Enabled NAT mode ======================================================
Mars project:
Command Line Interface. 1.18.0001 v.2003.10.16
======================================================
cmd> update
Entered INIT state.
MAC failed to BOOT...
CardStop is called
Entered WAIT_OFFER state.
Timed out in WAIT_OFFER state.

Fascinating, isn't it? :-) So yeah, lots of updates about to hit the wiki page. Next step is maybe to try uploading Armboot, the way CodeMan did, or maybe go for the gusto and try uploading a Linux filesystem image. Of course, there's lots of stuff to be found out just by poking around in the command line, too...

Came across a couple of interesting problems this week. The first was getting our bran' spankin' new dual G5 Power Mac running Gentoo Linux to boot without a monitor. It turned out to be surprisingly difficult. Of course, I found this out just before I was going to move it into its permanent location; it simply hadn't occurred to try beforehand and make sure it wasn't an issue. (Glad I tried this before moving it, though; it's got to be at least 800kg.)

As near as I could tell (no serial port), the thing simply would not boot with the monitor detached. It'd power on, give the little boot chime, and then...nothing. It wouldn't respond to pings, it wouldn't use the monitor once I plugged it back in, and it would go into airplane mode after a few minutes (fans full blast...man, this thing has got some serious cooling), which suggested it wasn't even getting into Linux.

What was truly strange was that it seemed to be sending out multiple DHCP requests, asking for a new address every few minutes. It never responded on those addresses, nor did any other traffic come from them. I asked the Mac guy at work about it. "It shouldn't do that," he said. Well, okay, good to confirm that, but what do we do now? Didn't know: we knew of the Xserve machines, and figured headless booting shouldn't be a problem, but couldn't figure out what the next step would be.

There turned out to be a great deal of silence on the issue; neither one of us could find anything remotely like this in Google. Oh sure, there were the Old World Macs where you had to use cross-connect a couple pins on the video cable (or buy a dongle that'd do it for you) because the things depended on a monitor (ugh!), but nothing about New World machines like this. I found out about nvsetenv, the command that shows you the environment variables that are set in the Parameter RAM for Open Firmware, and hey! this looks interesting:

skip-netboot: false

Well, okay then! Set that to true, that'll keep it from trying to do DHCP, right? Skip right on over to the Linux kernel, and that's that! Save, reboot, and -- no. Doing the same godammn thing. Back to square one.

Finally, I came across a mailing list message from one of the Yaboot developers that gave me a clue. I started looking at ofboot.b, the file used by yaboot to (hope I'm getting this right) feed Forth commands to the Apple Open Firmware in order to get things to boot. And then the Mac guy at work pointed out this ofboot.b file, from a page on YellowDog Linux' site about headless booting. Woohoo, off to the races!

...Yeah, right. Have you ever worked with Forth? I certainly haven't. I scratched my head, looked at the two versions of ofboot.b, then decided to sit down at the Open Firmware prompt (splat-alt-o-f) and do a bit of experimenting. It wasn't bad, actually; once I figured out "hello world" and simple addition, I was starting to understand what I'd seen.

I narrowed it down to two problem areas in Gentoo's version. The first was right up at the top: : .printf fb8-write drop ; This was a subroutine called printf being defined as two steps (I think): fb8-write and drop. Compare and contrast this with the usual way of printing stuff in Forth ("type"). I tried modifying this to read: : .printf type ; Gave it a try...and no, same problem.

Well, what about that dump-stdout bit from YDL? I tried that from the OF prompt and nothing: it complained that it was an unknown keyword. Okay, they're probably defining it somewhere else. Rather than bother looking it up, I moved on to the next bit, also close to the beginning of the file: " screen" output When I did this at the OF prompt, I got a seizure-inducing flicker followed by a prompt at a clear screen. Certainly doesn't seem good...so I tried removing that line, and success! I was able to boot without a monitor!

It's still strange to me that I haven't seen this mentioned anywhere. I guess it's possible no one's tried to boot one of these headless before, but I suspect that all my searches for "headless g5" were just too swamped in speculation about the Mini Mac. 'Tany rate, I'll submit a bug to Gentoo about this, and maybe send off something to the Yaboot folks as well.

The other problem was with Wine; we use it for a couple of Windows command-line tools as part of our compile. We had a guy whose instance of wine couldn't find a file in his PWD: wine -- "c:foo" bar.c
Error: can't find file bar.c And of course, bar.c was right fucking there, just waiting to be turned into an object file. So WTF, right? WINEPREFIX: yep, set correctly. Other tools able to find the file: yep, no problem there. Move the file to /tmp and try there -- aha, works!

Now I knew what was going on. We've had recurring problems with amd on FreeBSD (and lo, this was most assuredly a FreeBSD workstation): there is some kind of symlink caching going on (and amd is all about the symlinks, baby) in the FreeBSD kernel that amd finds itself unable to cope with. We'd upgraded amd to a later version on our workstations and found that our problems went 'way down -- only looks like I missed one. I set it up, told him to reboot, and patted myself on the back for a job well done. Only it didn't change anything: wine was still unable to find the damn file. Well, fuck.

In desperation I tried moving his directory (~jdoe/cvs) to another place (~jdoe/test), on the assumption that a different inode or something would convince amd to just find the damn file. Yeah, I know -- but it worked. I did some more dances, embarrassing to relate, and gradually convinced myself that whatever amd's failings, they were not relevant to this problem. Nothing else for it; time to pull out the big guns: wine --debugmsg +all -- "c:foo" bar.c Holy crap, does that every present a lot of debugging info: piped to a file, it was around 600KB. A quick look showed that most of it was boring Wine/Windows intialization stuff, but I was able to narrow it down by grepping for "bar.c".

And this is where I found the interesting bit:

DOSFS_FindUnixName 'foo.c' not found in '/home/jdoe/CVS

In order to find a file, Wine needs to know what Windows drive it's on. The usual practice is to set up a drive for your home directory, and that's what we'd done with F:. But what was it doing looking in the wrong directory? This guy doesn't have anything named CVS -- -- except that he does, and this was confusing Wine: it was running in Unix and was case-sensitive (starting at the diretory called "CVS", which comes before "cvs"), but it was simulating Windows and so it was case-insensitive (it couldn't tell the difference between F:CVS and F:cvs). Not only that, but it was stopping at the first failure, giving up on the F: drive, then moving on to other drives, then throwing an error when it couldn't find the file. No wonder it would all work if I renamed the directory!

It took me a day and a half to figure this out (I wish that were a lie), but I got to look like a minor hero when I showed him the solution: mv CVS somewhere_else With any luck, this little tale will save someone else a day and a half of their life.

And holy crap: here's a link to a guy who's hacked the freaking BIOS in his IBM T-41. Disturbingly, it would not let him use the wireless card he's bought for it -- he'd gone aftermarket, rather than official IBM -- and it kept saying "Please remove unauthorized card". Given IBM's geek-friendly rep, I'm surprised something like this hasn't got more play. Maybe I'll submit this to Slashdot and see what happens.

Welp, thanks to a suggestion from Mike and Varu,I managed to rescuscitate the dead NWR04B router. It had gone silent and unreponsive -- no web server, no response to pings -- after applying the firmware on the Network Everywhere FTP site. (Some upgrade!) Today, I picked up some header pins at the closest thing to a local electronics store. After a bit of work -- getting the solder out of header pins is tricky -- I got them attached, and sure enough the serial port worked fine. It was stuck at the bootloader menu, with this message: Verifying product code...FAIL
* WARNING *
Need to reprogram the flash.
That reminded me of the bit on this page on the Linksys WAP-11. Apparently, firmware for other products using the same hardware would work much better than the Linksys firmware. To prevent this sort of thing, the bootloader was changed to check for a product code, to make sure it wasn't another company's firmware. Almost makes me wonder if that's what happened with the NE firmware. Pretty huge screwup, though... So I tried uploading the Runtop firmware to the router via Xmodem...and it worked! I got the usual command line back, and everything seemed fine. I didn't try the web pages yet, but I don't expect any surprises there. I've checked the Runtop firmware with splitgzip, and it has the same kind of embedded Gzip archive the NE firmware does. It'll be interesting to compare the rest of it. I've also tried fooling around with the rmem (read memory) command, and I think this might be promising. You can run "rmem 0 400", and it'll print out 0x400 bytes of memory, nicely formatted, starting at address 0. 0x400 seems to be the biggest chunk it'll print, but you can incrmement it and keep going. (Managed to crash it, too, by running "rmem 99900000 400"...the command line was completely unresponsive, and one of the LEDs on the front started flashing rapidly. Fortunately, the reset button set everything right.) I'm thinking that this might be a way of reading out (what I hope will be) the bootloader code, and thus maybe getting the checksum code out of there somehow. I should be able to hack together an Expect script that'll cycle through the memory, capture the formatted output to a file, then turn that into a copy of the memory suitable for passing to a disassembler. And if that works, maybe we can look at overwriting flash with the wmem command...

Holy crap, there were precisely three and a half funny moments during American Dad. What the hell happened to Seth McFarlane? I hope the new Family Guy episodes are going to be better than that. I may stick around to see more, but not if they don't shape up soon.

I was shopping for a new rack and the necessary accessories, when I came across the power bar you can SSH to. That's right: not only does it have a digital readout on the thing that lets you know how much power/current you're drawing (and oh man, does that ever make this thing worth it; I'm scared to plug in new machines right now for fear I'm gonna trip a breaker), but you can ssh to the damn thing. There's even a "how to recover a lost password" procedure.

From here:

In one of the documents released last year, the Justice Department even blacked out a quote from a 1972 Supreme Court decision, reading in part: "The danger to political dissent is acute where the Government attempts to act under so vague a concept as the power to protect 'domestic security.'" Judge Marrero later ordered the quote restored.

The continuing saga of the NWR04b, um, continues. As I mentioned, I was looking at using the rmem command on the NWR firmware to read out memory and maybe figure out the checksum code. I came up with a small expect script (well, grabbed rddmm.exp and butchered it 'til it did what I wanted) to do just that, but it seems to be a little buggy: after a while, the output freezes. If I fire up minicom, I get a whole crapload of memory output from the serial port -- the stuff the expect script had been reading all along. It continues until I reset the board, but after that the characters from the board are all messed up: you can see where the menu and prompts are, but every other character or so is wrong. If I exit minicom then start again, letting it reset the serial port in the process, everything's fine. This makes me think my expect script is maybe going too fast, or not grabbing the output fast enough, or something else that just messes up the state of the serial port temporarily. I was going to work on it a bit and give it the option of starting at a particular offset (which would've taken a while, since I'm almost completely new to expect), but got distracted when I found the NWR's SEEKRIT MENU! At power-on, you see this prompt: Got the 6HYNIX_16bits Flash ROM ADM5106 Boot: Welp, turns out that if you hit the space bar three times right then, you get this menu: Loader Menu ================ (a) Download POST ... (b) Exit Please enter your key : Woohoo, a quick way to download ARMboot! Or so I hoped. (I did try UP LEFT UP LEFT RIGHT RIGHT DOWN RIGHT UP LEFT to see if that would run Linux automagically, but no.) First, a cross-compiling toolchain was needed. I found this page, which had both a fully-compiled toolchain ready to download, or a script that would build everything for you and required lots of mysterious patches to be downloaded in advance. Since I'm more manly than smart, I went for the script. (Though obviously I'm not that manly, since I was depending on a script in the first place...) I ran into troubles with uClibc, though -- for some reason, the script would just refuse to build it. Eventually, I just gave up and downloaded the pre-compiled version. Now, on to the actual compiling of ARMboot. Codeman, the original hacker, posted a bunch of files that included (I think) a modified version of ARMboot for the chip on the NWR. A quick make cx84200_config and make CROSS_COMPILE=/path/to/arm-uclinux-tools/bin/arm-uclinux- all worked, with a couple hiccups along the way. First off, I got this error: cc1: error: invalid option `short-load-bytes' A quick Google turned up this message from the CrossGCC project, saying that this option had been renamed alignment-traps. A bit of script-fu took care of that: find . -type f -exec grep -l short-load-bytes {} ; | xargs perl -i.bak -pe's/-mshort-load-bytes/-malignment-traps/' God, I love Unix. I tried make again, and came up with this error: flash.c: 181: error: label at end of compound statement The code in question looked like this: default:
printf("Unknown Chip Typen");
goto Done;
break;
}
/* Some stuff I'm leaving out... */
printf ("n");
Done:
}
I moved the Done: label to before the last printf statement, and everything seemed to work fine: ARMboot compiled, and I had armboot.bin ready to go. Doubtless there's a better way of doing that, but this seemed to work well enough for now. Now to try uploading: Loader Menu
================
(a) Download POST ...
(b) Exit
Please enter your key : a
Downloading............PASS
Verifying file......file corrupt -- FAIL
Well, crap: I was able to upload it by Xmodem, as I suspected, but it's still checksumming the thing, which means I was busted again. I'm still not giving up, though. I'm hoping to figure out the checksum; I found this page, which has a lot of pointers on how to do it. I think I'll try some of the things he talks about and see if I can figure out more about the checksum.

Okay, so I think I've figured out the checksum for the original, available-from-ftp.networkeverywhere.com firmware (NWR04Bv1.02D1220.dlf). First, the file has two parts: there's what I'm calling bootloader (probably a huge misnomer), and then there's a gzip archive file called archive.bin.gz. splitgzip.pl will pull out the latter; simple math and dd will extract the former. The length of application.bin.gz is 743898 bytes; in hex, that's 0x000b59da. The sum of all the bytes in application.bin.gz is 0x05fc5b7c Both of these numbers can be found (allowing for little-endianness) at 12 bytes and 8 bytes from the end of bootloader, respectively:

00004ed0

02 00 00 00 da 59 0b 00

7c 5b fc 05 20 03 00 00

|.....Y..|[.. ...|

So this works for the NE firmware. However, loading this has caused problems before, so I'm reluctant to use it as a basis for uploading new firmware. And the pattern does not seem to hold for the Runtop firmware I've used to resuscitate the dead router; I still have to figure out how they're doing it. Finally, even if I do figure out how to get the checksum working, will this let me boot Linux? Sure, I can upload a new filesystem, but how will I hand control to it? No idea. Still...fun puzzle!

From Gentoo's security advisory:

Synopsis VMware may load shared libraries from an untrusted, world-writable directory, resulting in the execution of arbitrary code. 2. Impact Information Background VMware Workstation is a powerful virtual machine for developers and system administrators. Description Tavis Ormandy of the Gentoo Linux Security Audit Team has discovered that VMware Workstation searches for gdk-pixbuf loadable modules in an untrusted, world-writable directory. Impact A local attacker could create a malicious shared object that would be loaded by VMware, resulting in the execution of arbitrary code with the privileges of the user running VMware. 3. Resolution Information Workaround The system administrator may create the file /tmp/rrdharan to prevent malicious users from creating a directory at that location.

And sure enough, a quick Google for VMware and rrdharran turns up the guy's profile on their support forums, where he's listed as a developer. I'd laugh, but this just makes me paranoid about what I might miss...

I've upgraded Wordpress to the newly-released 1.5, and the Obsidian theme. 1.5 seems nice; there's a lot of new features, including some neat-sounding spam-fu, so I'm curious to see how it'll work. The upgrade was stupid easy. As for the theme, Obsidian is nice, but there are still some things I'm messing around with. I hate playing with CSS, though -- such a time-sink! -- so if I can't make it work easily I'll just go back to the default theme.

I haven't posted in a while about work, so I thought I'd put in some updates here. Plus, I've come down with a cold, so I'm too sick to think hard about checksums for router firmware right now. :-) I've been on the receiving end for some fun toys of late. First off, I've taken delivery of three HP Procurve 2650 managed switches; these are going to replace our dumb (and problematic, though a lot less so since I've been making it a policy to get rid of cheap-ass switches bought from London Drugs) Dlink switches. Not a moment too soon, either; we have 96 ports right now, and I think there are about four free. I think I'm going to have to get some shelves to install them in our current rack; it's one of those telecom ones, so they'd be hanging out behind, and I suspect they'd tip it right over. It'll be nice to be able to do VLANs, track traffic, and so on. My MRTG page is already getting big; this'll push it up to 11. Next, I've received two Adaptec SCSI cards and some rack rails. Doesn't sound like much fun until you combine it with the Promise RAID array and the new four-post rack that's coming next week (allegedly). This'll take care of our disk space problems for a year or two; right now, I've got the home directories of our Windows users spread over four disks in two servers, and I'm running out of room on all of them. There's some stuff that could be cleaned up, but for the most part it's needed; we've got some wicked big log files for regression tests that, for example, have taken up the lion's share of a 200GB disk. The Promise array holds, what, 15 disks? At the very least I should be able to get a couple terabyte, which should be good for a while. (I did some calculations a while back; for as long as I've been at this company (2 years in April), our storage requirements have doubled about every 6-8 months, and there's no sign that it's slowing down.) After that, we've got an evaluation copy of VMware 5. Just like the last time I checked out VMware, I'm using it to try out some Windows changes. Right now I'm trying out Daisy, a GPL'd automatic patch applier thingy for W2K. (XP support past SP2 will come with version 3; we're nearly all W2K, so it's not a big deal right now.) For the most part, I'm happy. There's a couple little things that are funky (W.Update sez no patches needed, Daisy sez 4 are needed) but it's a fuck of a lot better than going in every month and running W.Update manually (yeah, I know). So far I've been spending my time downloading all the fucking patches (<rant> Why the fuck doesn't MS have some sort of pattern for patch URLS? WTF is with these random strings of letters between "download.microsoft.com" and "W2K-patch-ENU.exe"? And why the fuck did they wait so long to standardize switches for non-interactive, non-forced rebooting application? </rant>); the next step is seeing how well Daisy works w/o interaction. (Probably just fine, from what I've seen.) Man, it'll be nice to drop patches on the FTP server, then tell everyone their computer will reboot at midnight... As for VMware itself, it's a huge help. It's absolutely amazing to be able to revert to a snapshot; I don't even want to think about how long it'd take to duplicate that with a real machine, even if I had a fully automated install (which is my next goal after automated patch management). Aside from the little oops (and hey, it's beta), I've got no complaints at all about VMware as a program. I'm not really stress-testing it, though, so I don't know how well it'd do for some of the bigger programs we need to run at work. Of course, I don't really have any way of finding out, either; the EULA sez "You may not disclose the results of any benchmark test of the Software to any third party without VMware's prior written approval." Ah, proprietary software... ...which segues nicely into another toy I got this week: my membership package from the Free Software Foundation. I got my LNX-BBC-based bootable membership card (#2961!), plus another CD with the source code...of course. Browsed through it just to look at the code, since it seemed like I really should (and also because I wanted to see if I could understand the source code for cksum...at 10 o'clock at night while waiting for cold medicine to kick in. Uh-huh). I also got my copy of Larence Lessig's Free Culture, a welcome letter that spent its first paragraph talking about the tax implications of that free book and looked like it was typeset with Tex (interesting -- it reminded me so much of everything I saw that came out of the University of Waterloo's math department...tests, newsletters, for-sale posters, everything), and the last two newsletters, including one with a picture of a very unimpressed-looking Bradley Kuhn (who has a poker journal. Who knew?) posing for the camera with SCO's subpoena. I admit to being a bit unsettled reading one of RMS' essay/editorials for the newsletter, in which he said we were all working toward a future where all software would be Free. The religious overtones were hard to avoid, not to mention the similarities to exhortations from the left about when the workers would overthrow the shackles of capitalism. I'm NOT saying "RMS is a commie" or anything like that; it's the...I don't know, the feel of a small group of people desperately trying to make changes they believe in that's familiar. I used to get the same feeling when I came across the Technocracy newsletters at the library. (Bring back the Technocracy fliers, whoever you are...they're sorely missed.) But then I remember EULAs like VMware's, or like the one for a program we use at work that said something like "Despite whatever rights you have under law, you give them all up by using this software" and "You're not allowed to tell anyone the terms of this EULA" (fuzzy on that last one, so don't quote me -- but I'm pretty sure it was something like that). And I realize just how much Freedom I take for granted, how much of it is due to the FSF and many others, and how that freedom is important enough to be capitalized. Anyhow...qemu booted the membership card very nicely. It seemed astonishingly quick to start, until I realized that it wasn't simulating the usual BIOS check -- I hadn't thought before about how long that can add to boot times. Memory check, disk detection (IDE), disk detection (SCSI), bootloader...it adds up. One of these days I'd love to get some real server hardware to play with; I've heard very good stuff about Sun machines, and it'd be interesting to play with some non-x86 hardware (besides the router, I mean). I really should go see Cal and get a SparcStation...of course, they are a lot cheaper on eBay. I also got a desktop machine of my own at work. Ever since I started, I've been using a machine that's been used as many different servers: spam filtering, backup NIS, backup, FreeBSD source code repository... I'd put in a request for a machine of my own, but (since I'm the one who had to buy it) nothing much got done. A couple of weeks ago, I got a request for a developer sandbox, so I ordered it in, got it set up, then was told that it was no longer needed. Well, sweet! It's a Shuttle, P4, 1GB of memory and a 200GB hard drive. This means a) I can run stuff like VMWare on Debian and b) I no longer have to start full backups on the weekend to make sure my desktop is actually usable on Monday: I can just start full backups on Monday morning, and continue hitting refresh on Slashdot. Oh yeah! Finally, my wife got a toy too: a new LCD monitor. She had been using this 15" CRT I picked up at a swap meet for $50, but it had started to make ominous brrrZZAAP! electrical noises. Picked up a Benq (you know it's a Benq because when you turn it on, it says "Benq!" for a second or two before you get your desktop) 17" FP 731 on sale after reading the reviews (cheap but decent seemed to be the consensus). No complaints so far, and man I can't belive how big it looks. Damn tempted to get one for myself...but I think I might order one of these instead while I still can. The situation in Canada doesn't seem quite so dire as down there, but then again where the hell am I going to pick up a Canadian made HDTV encoder card? ...Good god, 1500 words. Post this puppy.

Ha! In the Runtop firmware, there's the strings "Repotec" and "ip2014". Sure enough, a Google on the latter turns up lots of references to the IP2014 router from Repotec. This version of their firmware has the same structure as the Network Everywhere and Runtop firmware: bootloader + application.bin.gz. However, the firmware is much more similar to the RT bootloader (the one I haven't figured out the checksum for yet). The length is the same, but different md5sum. A quick diff of the hexdump outputs turns up this:

diff ../original_runtop/bl.hd bl.hd 
1,4c1,4
< 00000000  06 00 00 ea 02 00 00 00  03 00 00 00 03 13 00 02  |................|
< 00000010  02 00 00 00 5f 6c 0a 00  cd 33 6e 05 67 02 00 00  |...._l...3n.g...|
< 00000020  13 00 00 ea 02 00 00 00  03 00 00 00 03 13 00 02  |................|
< 00000030  02 00 00 00 3f 6c 0a 00  4b 30 6e 05 c2 01 00 00  |....?l..K0n.....|
---
> 00000000  06 00 00 ea 02 00 00 00  0a 00 00 00 02 12 00 1b  |................|
> 00000010  02 00 00 00 6c 6b 09 00  26 27 e7 04 55 02 00 00  |....lk..&'..U...|
> 00000020  13 00 00 ea 02 00 00 00  0a 00 00 00 02 12 00 1b  |................|
> 00000030  02 00 00 00 4c 6b 09 00  05 24 e7 04 11 02 00 00  |....Lk...$......|

...which means this is where the checksum must be!

1. Why the fuck does a goddamned accounting program addon require the user's fucking group to have full fucking control of HKLM? Huh?
2. Synergration. Syner-fucking-gration.

From a catalog page I found while searching for rack shelves:

Shelf life. That period of time your product remains viable. Sometimes the right shelf can expand shelf life. Especially if it's center-weighted so it won't tip over and destroy your heavier equipment such as monitors and servers.

Ah, Belkin. How I long to lick your creamy centre.

Welp, the Promise array is here at last. I don't have any disks yet -- they're coming in next week -- but I've had a chance to play around with the firmware. First off, it's running Linux, just like JWSmythe said. The firmware that came with the box said "Now uncompressing Linux..." at boot time; it may be indicative of something that the newer firmware says "Now uncompressing kernel..." Promise doesn't mention anywhere on their website that the 15100 uses Linux, which surprises me a little. They also don't offer the source code anywhere. I've sent 'em an email asking about that; their autoresponder said I should hear about that today.

Second, I've yet to figure out how to enable SSH on the thing, and I'm increasingly lacking confidence that it even offers this, even after the firmware upgrade. Naturally, this is in strict contrast to what's listed on the website. I've sent them an email about this.

Third, I've yet to figure out how to monitor the thing by SNMP. I can run snmpwalk, sure, and I get info back, but but I don't see anything like network traffic or disk stats or anything. (Compare and contrast with the PDU from APC, which included the SNMP schema [if that's the right word] on the CD.) Then again, this may be because I haven't got any disks in there. We'll see.

Fourth, it looks like there was corruption of the firmware. Got it in yesterday, booted fine, upgraded firmware by TFTP, all good, turned it off before going home (and not for the first time that day, either). This morning I booted it, and things were just wrong: the network address was obviously bogus and couldn't be changed, various menu entries were showing garbage instead of "Promise VTrak 15100" or whatever, and so on. I called tech support, who told me the secret:

1. Reboot.
2. When booting, hold down ctrl-F to get to the BPD prompt (which is some sort of bootloader prompt).
3. Type "diag".
4. Select "Clear or Test FRAM".
5. Let it do its thing.
6. Quit the diag tool.
7. Type "reset" to reboot.

Note: if you fry your array by following this advice, you're on your own. But it worked for me. Of course, this doesn't explain why it happened in the first place. I'm going to be watching it carefully.

Funny moment: While waiting for me to figure out how to reboot the array [which took a few minutes because of the menu corruption I called to complain about], the techie I was talking to was having a conversation with someone else. "Are you reading? [pause] Okay, are you working on projects? [pause] It's okay if you're using the web to work on projects. [pause] But if you're just surfing the web looking for a job, that's not working on projects." Second funny moment: The warranty registration page on the Promise website asks for suggestions and comments to "help us imporve in the future." Third funny moment: When registering the extended support, the page that asked for the value of the product purchased barfed with "Internal Error" when I put a dollar sign in the amount. (Okay, so I'm just easily amused.) Finally, it's just plain odd to be asked for your bona fides by your power bar:

1. Access: Enabled
2. Protocol Mode: SSH Version 2 only
3. Telnet Port: 23
4. SSH Port: 22
5. Advanced SSH Configuration
6. Accept Changes : Pending?- Help, esc- Cancel Changes, enter- Refresh, ctrl -L- Event Log > 6 LICENSE AGREEMENT By enabling this security feature, you are agreeing to the following statements: A. This Product includes cryptographic software subject to export controls under the U.S. Export Administration Regulations. You agree to cooperate with American Power Conversion Corporation as reasonably necessary to ensure compliance with the laws and regulations of the United States and all other relevant countries, relating to exports and re-exports ("Export Laws"). You shall not import, export, re- export or transfer, directly or indirectly, including via remote access, any part of the Products into or to any country (or its nationals or permanent residents) or to any end user or end use for which prior written governmental authorization is required under applicable Export Laws, without first obtaining such authorization. By ACCEPTING THESE TERMS, you are representing and warranting that neither your use nor your receipt of any part of the Products requires prior written authorization under any Export Laws. You are responsible for complying with any local laws in your jurisdiction which may impact your right to access or use this product. B. By ACCEPTING THESE TERMS, you are representing and warranting that (1) you are not located in or a national of any U.S.-sanctioned or terrorist-supporting countries, (2) identified on the U.S. Treasury Department's List of Specially Designated Nationals, the U.S. Commerce Department's Entity List, or the U.S. Commerce Department's Denied Parties List; or (3) engaged in any proliferation-based or terrorist- supporting activities. Do you accept the terms of this license agreement? Enter 'YES' to continue or ENTER to cancel :

I finally figured out the last bit (well, at least the last bit that varied significantly) in the checksum for the NWR04B firmware. I've updated the wiki and the checksum program. The program not only lets me duplicate the firmware I've already got (ie, it puts the bits back together so that they match the original), but lets me crash the router in new and interesting ways. Just for fun, I tried making an image from the original hack's root filesystem. I was able to get the router to apply the upgrade, but (surprise!) nothing happened when it rebooted -- it verified the checksum then did nothing, and I had to upload an old firmware image by Ymodem over the serial cable. But hey! Progress!