Synology Cubestation

Embarrassing bug in OpenSSL for the Linux community. Also Synology-products suffered from this.

09 April 2014
We've addressed this CVE and are preparing the fix to the vulnerability.
We look forward to providing the fix shortly.

v 3-1-1638 - not affected.

Installed Sep 2014:

Nice storage-boxes from
Not really an alternative, very immature (i.e. fuugethaboutit): FreeNAS

My Black Cube 407
CS407, Marvell Orion mv5281 ARM Processor, SATA, 32-bit Memory Bus, 128MB of RAM
Cubestation 407

A recent update (2011? 2012?) brought 1xRaid5 instead of the sub-optimal 2xRaid1 I had before:

ConfigurationOld setupCheap
Upgrade A
Upgrade B
(Today, done)
Upgrade C
slot10,5 TB 2 TB 1 TB 2 TB
slot10,5 TB 2 TB 1 TB 2 TB
slot31 TB1 TB1 TB 2 TB
slot31 TB1 TB1 TB 2 TB
Raid type2x Raid12x Raid1Raid5Raid5
Brutto3 TB6 TB4 TB8 TB
Netto1,328 TB3 TB3 TB6 TB
0 CHF 250 CHF 200 CHF 500 CHF

Old setup:
Volume 1: RAID1 with 2x 1TB, Total capacity: 913.94 GB
Volume 3: RAID1 with 2x 500GB, Total capacity: 455.49 GB




Time Machine

For Mac users - easy peasy!!!

...until Apple upgraded the AFP-protocol just as CS407 had reached end-of-life for firmware support.
But luckily Synology decided to give us one last upgrade due to the move by Apple: Version: DSM 3.1-1636

Logitech Squeeze Center on the Cube

See SqueezeCenter


Change php.ini:

vi /usr/syno/etc/php.ini

Adding the FTP-directory for PHP-access:
open_basedir = /volume1/ftp: [ ... ]

MOTD - Message of the Day

vi /etc/motd

|                      |
|     Welcome to       |
|    EbmatStation      |
|                      |
|   Cubestation 407    |


Enable in the web-config panel
store public key as


Change SSH Port-number to 5022

vi /etc/ssh/sshd_config


Port 5022

FTP welcome
vi /etc/ftpwelcome

FTP welcome after login
edit /etc/ftpmotd

IPKG package manager

Adding IPKG itself with a bootstrap:,_bootstrap,_ipkg_etc

ipkg is also dependant on a few other software bits and pieces that are not installed on the synology servers. Consequently to install ipkg you need to use the appropriate bootstrap which automates the installation of ipkg and the other packages it needs.

After you have installed ipkg (see the bootstrap section below), you can install ipkg packages of programs using the command "ipkg install xxxx" where xxxx is the name of the package. Once the package is installed you can run it using "xxxx" where xxxx is the name of the program you just installed (this is normally the same as the package name, but not always).

For help with ipkg commands use "ipkg -help":

usage: ipkg [options...] sub-command [arguments...]
where sub-command is one of:

Package Manipulation:
		update                  Update list of available packages
		upgrade                 Upgrade all installed packages to latest version
		install <pkg>           Download and install <pkg> (and dependencies)
		install <file.ipk>      Install package <file.ipk>
		configure [<pkg>]       Configure unpacked packages
		remove <pkg|regexp>     Remove package <pkg|packages following regexp>

IPKG Bootstrap

For mv5281 ARM models (such as my Black CS407)

The steps to install the bootstrap (provided as .xsh files) are below, you should replace the text in bold with the relevant text for your CPU's bootstrap file (listed above).
  1. Reboot your NAS.
  2. Enable and then Login to the Command Line Interface as user "root", password is the same as for admin.
  3. Change to a directory such as "/volume1/@tmp", i.e. enter the command "cd /volume1/@tmp"
  4. Get the NAS to download the bootstrap, e.g. if you have an mv5281 ARM model enter the command " wget " alternatively download the bootstrap to your PC and then copy it to a shared folder on the NAS
  5. Set the .xsh script to be executable "chmod +x syno-x07-bootstrap_1.2-7_arm.xsh"
  6. Now run the .xsh script, e.g. if you have an mv5281 ARM model and used the bootstrap above enter the command "sh syno-x07-bootstrap_1.2-7_arm.xsh"
  7. After the script has finished you can delete the script file, e.g. for mv5281 ARM users using the bootstrap above enter the command "rm syno-x07-bootstrap_1.2-7_arm.xsh"
  8. NEW: If you have DSM 4.0 there is an additional step. In the file /root/.profile you need to comment out (put a # before) the lines "PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/syno/sbin:/usr/syno/bin:/usr/local/sbin:/usr/local/bin" and "export PATH". To do this enter the command "vi /root/.profile" to open the file in vi. Now change vi to edit mode by pressing the "i" key on your keyboard. Use the down cursor key to move the cursor to the start of the line "PATH=/sbin..." and put a "#" infront of this line so it is now "#PATH=/sbin...". Do the same for the line below so it is now "#export PATH". Now press the escape key (to exit edit mode) and type "ZZ" (note they are capitals) to tell vi to save the file and exit. For background info on why this is neccessary for DSM 4 refer to
  9. Note: If you have the following error: "Cannot satisfy the following dependencies for wget-ssl: libidn", you need to manually download libidn and install with ipkg: Eg. for Synology DS108j: "wget" (wget should be already present on the system) and enter the command "ipkg install libidn_1.21-1_powerpc.ipk". Run the ipkg bootstrap process again (press yes when it asks to overwrite config file). For a procedure to install ipk packages without ipkg, see
  10. Reboot the NAS and login again to the Command Line Interface as user "root"
  11. Update the ipkg list of available packages using the command "ipkg update"
  12. Upgrade any ipkg installed packages to the latest versions using the command "ipkg upgrade"
  13. Finished, you can now install ipkg packages using the command "ipkg install xxxx" where xxxx is the name of the package. You can list all the available packages using the command "ipkg list". As this is a long list you can filter it using the command "ipkg list | grep xxxx" where xxxx is the text you want to search for. Alternatively, you view one page at a time using the "more" pipe, e.g. "ipkg list | more"

Note: ipkg expects to find your ipkg files/programs in the path "/opt". As the synology NAS's put all your files in "/volume1" the bootstraps put your IPKG files/programs in "/volume1/@optware" but then mount this directory so it ALSO appears as "/opt". Hence, do not think that "/volume1/@optware" and "/opt" are duplicated files, they are not duplicated, they are in fact exactly the same directory.

Adding the NC FTP client

EbmaStation407> ipkg install ncftp
Installing ncftp (3.2.3-1) to root...
Nothing to be done
An error ocurred, return value: 22.
Collected errors:
ipkg_download: ERROR: Command failed with return value 8: `wget --passive-ftp    -q -P /opt/ipkg-qUE4jB'
Failed to download ncftp. Perhaps you need to run 'ipkg update'?
EbmaStation407> ipkg update
Updated list of available packages in /opt/lib/ipkg/lists/cross
Successfully terminated.
EbmaStation407> ipkg install ncftp
Installing ncftp (3.2.4-1) to root...
Configuring ncftp
Successfully terminated.

Adding screen
ipkg install screen

Info on this lovely linux utility:

Adding SCP

In short, start with

ipkg install zlib

From OpenSSH we only need the archive 'data.tar.gz':

cd /tmp
ipkg download openssh

tar -xvzf openssh_5.9p1-1_arm.ipk ./data.tar.gz

From the 'data.tar.gz'-archive we only need the files 'sftp' und 'scp'.
Move them to 'bin', and link in the required library v0.9.7:

tar -xvzf data.tar.gz ./opt/bin/sftp ./opt/bin/openssh-scp
mv ./opt/bin/* /opt/bin

cd /usr/lib
ln -s

Finish off by installing a bunch of utilities. This will remove an error-message you'd face if not installing the utility 'group'.

ipkg install coreutils

Full text, in German:

Adding BASH

First we will install the BASH package using IPKG
ipkg install bash

Next we will tell the system that we prefer BASH over ASH, thank you very much. We will do this by editing the /etc/passwd file. Be very very very careful editing this file, as if you muff it up then you might not be able to log into your system!

So, let's be super extra careful and make a back-up of the file, just in case.
cp /etc/passwd ~/just-in-case

Now we'll edit the file
vi /etc/passwd

Note: I would NOT recommending to switch shell for root user. If things go belly up you sure want to be able to login again under any circumstances. Replace the shell for a normal user instead! Keep the default shell for root!

Look for a line like this: (

We want to change the end bit to point to bash, so we change "/bin/ash" to "/opt/bin/bash". When you're done it will look like this:

Save the file, but DO NOT exit your ssh session! First, test our modification by attempting to log in again from another ssh window. If you cannot log in for whatever reason, then restore the file and try again
cp ~/just-in-case /etc/passwd

If you can login, then you delete the backup file and Bob's yer uncle.
rm ~/just-in-case

The man page for BASH is a fantastic wealth of information.
Read it. Know it. Love it.

Socks proxy

1. enable ssh
2. install ipkg (package handler)
3. configure ikpg to find the socks software over at DD-WRT
4. download and install via ipkg

Subversion server

ipkg install svn

Add a line for Subversion in '/etc/inetd.conf':
svn stream tcp nowait subba /opt/bin/svnserve svnserve -i -r /volume2/svn

Edit '/etc/services' to include Subversion data:
svn 3690/tcp # Subversion 
svn 3690/udp # Subversion

Finally, a reboot shall do the trick.

Full text:

If you get problems:

FTP blacklist

Block LAN-users from FTP-access

I found myself a solution. And since the thread has been moved to the Modding Room (thanks for that) I will now post it:

It's quite straight forward.
1. with the administration web interface create the user which shall have FTP access and give him a fairly hard password

2. Manage the user's access privileges to the folders you want to have exposed to the web via FTP. For example I created a dedicated ftp folder which is the only folder my new ftp-user has access to.

3. Log in via telnet and edit the file /etc/ftpusers. It took me quite a while to figure out, that this file is a black list which contains all users who shall NOT be able to do an FTP login. So enter each of your users here who shall not be able to do FTP, each in a seperate line.

You're done. There is no reboot required.

Swiss File Knife

A Command Line Tools Collection

Adding Linux programs and features

Additional packages for the DiskStation (called Optware)

System administration

How to retrieve data from RAID Volumes on Linux
PPC - Big endian
Wintel - Little endian

About little/big endian

Create Torrent-files

There are no comments on this page.
Valid XHTML :: Valid CSS: :: Powered by WikkaWiki