[Case Sharing] Unpack the QNAP NAS system image and restore the system components lost after the downgrade

QNAP (QNAP) released the new QTS 5.0 system in September 2021. The author recently received an official update notice, so I upgraded my TS-551 to the latest version, but found that both the system fluency and stability are consistent with each other. The gap in their propaganda was far, and they had to be downgraded to QTS 4.5.4. However, due to the FTP QTS 5.0 as an optional software package (QuFTP), after downgrading the system neither QuFTP, nor should have QTS 4 proftpd process, this article will share with readers QNAP NAS unpack the system image to restore the system components .

0x01 Problem Overview

As shown above, after downgrading from QTS 5 to QTS 4, the author found that after the FTP service was opened, port 21 still could not be connected. After entering SSH to check the process list, I found that there was no proftpd process at all:

0x02 Analyze the problem

The author first thought of starting the FTP service manually, so I executed the following command:

sudo /etc/init.d/ftp.sh start

After the execution, it was found that the FTP process did not appear.

So I opened the above startup script, hoping to manually start the service to see if there is an error or other information:

/sbin/daemon_mgr proftpd start "LD_PRELOAD=/usr/local/lib/libtrash.so TZ=/etc/localtime /usr/local/sbin/proftpd -n > /dev/null 2>&1 &"

segmentation fault error 0618619f683607 directly:

Execute /usr/local/sbin/proftpd directly:

It seems that this is the problem. Proftpd does not exist at all. Maybe the firmware forgot to restore the proftpd that was deleted by QTS 5.0 during the downgrade, causing this problem.

After some searching, the author found that QNAP has modified the source code of proftpd, adding management functions and some other customization functions, so it is impossible to find ready-made binary files or source code packages to install directly from the Internet. You must use the one that matches the system version. The original binary file is restored back. So where do the binary files come from? The author thought of the official system firmware.

The author downloaded the mirror image consistent with the system version from QNAP Download Center, obtained TS-XA51_20210923-4.5.4.1800.zip , unzipped it, and obtained the mirror image of the same name .img After trying to use a variety of decompression software and disk mirroring software, the author realized that it seems that the mirror file is not in a conventional format, but a format customized by QNAP.

Since it is a customized format, there must be a place to decompress, and the system image is installed in the NAS, the decompression tool should also be built-in in the NAS.

0x03 Unpack the image

Found a feasible direction, so I started looking for scripts related to firmware update in the system. After searching for the author, I found that a /etc/init.d/update.sh was very "suspicious". Due to the long script, one of the lines is excerpted below, which is also the most critical line:

/sbin/PC1 d QNAPNASVERSION4 "$path_name" "${_tgz}" "${CS_SIGNATURE}";

According to the script, PC1 should be a tool for decompressing the system firmware package. This tool decompresses the system firmware to a .tar.gz file. So the author decompresses the img package we obtained above according to the rules of this command:

PC1 d QNAPNASVERSION4 ./TS-XA51_20210923-4.5.4.1800.img ./TS-XA51_20210923-4.5.4.1800.tar.gz

The results were exciting, and I got a compressed package TS-XA51_20210923-4.5.4.1800.tar.gz

Next, the author tried to decompress the compressed package and obtained the file shown in the following figure:

According to the file name rules, it can be guessed that part of the files are from the boot partition, and the rootfs2.bz and rootfs_ext.tgz inside are the key points that need to be paid attention to. So the author continued to decompress these two files:

$ bzip2 -k -d ./rootfs2.bz
bzip2: ./rootfs2.bz is not a bzip2 file.
# 既然其格式不是标准格式，那么使用file命令来看看到底是什么格式
$ file ./rootfs2.bz
rootfs2.bz: LZMA compressed data, streamed
# 原来是LZMA格式，和initrc.img一样解压即可
$ xz -dc ./rootfs2.bz | cpio -id

If you look at the current directory at this time, you will find that some directories appear:

As mentioned above, the files we need are in /usr/local/sbin/prosftpd , so let’s see ./rootfs2.bz files we need are included in the 0618619f68384b file:

The answer is yes~

0x04 solve the problem

Now that you have obtained this file, the next thing to do is very simple: copy it to the corresponding directory, and then reopen the FTP service in the control panel of the NAS:

$ sudo cp ./usr/local/sbin/proftpd /usr/local/sbin/proftpd

View the process list again:

Use telnet to connect to port 21, you can connect, the problem is solved successfully!