Under The Covers
Like most other consumer-level NAS devices on the market, the StorCenter was clearly running Linux. A network port-scan of the device turned up no interesting open ports, but a fingerprint scan identified the TCP/IP stack as being from a Linux kernel. Connecting to the UPnP server port manually from a Telnet window gave me the following string:
SERVER: Linux/2.6 UPnP/1.0 Iomega TwoPeas UpnP/22.214.171.124
To verify my findings, I found that Iomega included Linux 2.6.12 and other GPL source code on the installation CD. The Linux configuration file included indicates that a Realtek 8169 provides the gigabit Ethernet support. Digging a bit into Iomega's documentation, it appears that the StorCenter has 64 MB of RAM, and is running on a Freescale MPC8241 processor. The internal drive runs at 7200 RPM and is formatted with the EXT2 file system. (This was changed over to XFS as of firmware version v1.27.) The 250GB model I tested had 8 MB of cache, while the 160 GB model has 2 MB.
While I was browsing the folder sharing options, I noticed the following parameter tacked on to the end of the URL: "list_dir=/nethdd". Thinking that perhaps changing it would allow me to get some more visibility into the operation of the system, I manually removed the "nethdd" portion and re-submitted. Bingo! I was rewarded with a display of the top-level directory structure of the operating system, shown in Figure 17. Using this menu, I was able to share the operating system directories as well as the normal data directories.
Figure 17: Directory listing via simple modified URL
Browsing through the read-only directories showed me a standard Linux system with PowerPC binaries and fairly heavy use of busybox for utilities and Samba for file sharing; this is a pretty standard combination with this type of device.
To check out what optional capabilities were provided in the busybox toolkit, I copied it over to my Power PC based KuroBox and verified that it would run there. Running it showed me that it didn't have a Telnet daemon included, which might have given me the ability to get a command shell on the running box. I suspect that with more effort, a user willing to risk his warranty could figure out a way to add custom code for additional functionality.