|TRENDnet USB 2.0 Network Storage Server (TS-U200)
|BYO NAS that can share USB hard, CD-ROM and flash drives. Also backs up memory cards to defined shares.
|• Push-button backup of memory cards & USB Flash keys
• Auto download (backup) feature
• No event logging or alerts
There are three basic types of consumer Network Attached Storage (NAS) devices on the market today. The first is completely self-contained. It comes with the basic electronics of the device and the disk-drive(s) integrated inside a single box. The second type, a Bring Your Own Disk (BYOD) box, is like the first, except that consumers purchase their own disk drives and install them into the box themselves.
The third type separates the computer that runs the file server from the disk drive(s), where file server and disk(s) go into their own separate boxes. Consumers plug a standard external disk drive chassis into such units to share one or more drives across the network. The Linksys NSLU2 [reviewed here] is a popular example of this third type of product. But there’s ample room for competition in this market segment. In this review, I look at a competitor to the NSLU2, the TRENDnet TS-U200.
Like the NSLU2, the TS-U200 is tiny. Its size, shape and styling are those of a small paperback book. The front of the unit includes a number of status LEDs along with slots for numerous flavors of memory cards including CF Type I/II, Smart Media, Memory Sticks (Pro and Duo included), SD, and MMC.
The back of the unit, shown in Figure 1, has two USB 2.0 ports, a 10/100 Ethernet port, power connector, reset button, and a button for unmounting the disk drives.
Figure 1: Rear view of the TS-U200
The top of the TS-U200 proffers a single button labeled “Backup” (you can see it at the upper rear right in Figure 1, on the front edge of the top). It’s used to copy the contents of a memory card to a disk drive plugged into one of the device’s USB ports.
For my setup, I plugged in an external USB 2.0 drive formatted using the FAT32 file system. (The hard disk in that USB chassis was a Maxtor 120GB, 7200 RPM drive with 8 MB cache.) Although I didn’t verify this information, TRENDnet says the TS-U200 also will share files from any USB CD-ROM or USB flash drive with “no limit” on individual or total drive size. And while they don’t document this feature, you can attach a USB hub to add even more drives (they’ve tested four USB drives connected via one of their TU2-400 4 port USB 2.0 hubs).
Using a FAT32 formatted drive allows a drive to service various operating systems such as MacOS, Linux and Windows, all of which can read and write this format. However, one of FAT32’s most noticeable downsides is its limit on file sizes. Depending on the system using the format the maximum file size is either two or four gigabytes. This is one way in which the TS-U200 lags behind the NSLU2 in that the latest versions of the NSLU2 firmware support the more modern NTFS file system. NTFS offers better performance and larger file sizes at the expense of portability (native NTFS support is not commonly found in systems other than Windows NT, XP or 2000).
When I powered this unit up, it was completely silent – because the TS-U200 has no moving parts. Initial installation is fairly straightforward except for one little quirk. Instead of acquiring an initial IP address using DHCP, the unit comes up on a predefined address of 192.168.1.2 (a Class C private IP address). This is fine, assuming that this address is within your chosen subnet, and isn’t already allocated to some other device. If this isn’t a workable address, you’ll need to reconfigure your network temporarily, or to create a private network so you can set up this device. For me, it wasn’t an issue and the unit came up properly on my network without a hitch.
Like most consumer NAS units on the market, a Web browser handles all basic device configuration tasks. TRENDnet includes Windows-only software to locate the device and spawn a browser for you, but that’s optional because you can simply direct your browser to the http://192.168.1.2/ URL yourself. However, a UPnP server also runs on the TS-U200, which allows for discovery by devices supporting this protocol.
The initial login screen (shown in Figure 2) offers two options: “Download Schedule” and “Config”. I clicked on the latter button, which led me into setup options for the TS-U200.
Figure 2: Login screen for the TS-U200
A successful login produces a configuration screen that’s divided into three parts: “Basic”, “Advanced”, and “Maintenance”. Basic configuration includes options for setting up standard network parameters, setting up “Samba” and establishing date and time on the box. By the way, I found it interesting that the Samba name was used explicitly, since it might be confusing to some users. Samba is an open-source implementation of the SMB file-sharing protocol used natively in Microsoft Windows systems. This menu let me set the “Workgroup Name”, the “Server Name” and provide a “Server Description”.
The date/time setup screen allowed me to set basic values, but it also let me specify that time should be acquired from a time server. But, it struck me as a curious omission that the screen provided no means for selecting which time server to use (as shown in Figure 2) though it would happily test a default selection.
Figure 3: Setting date/time on the TS-U200
This feature appeared to work, but if this unidentified time server ever goes down, there is no obvious way to change it! This reminded me of a funny story about time servers and consumer hardware. By now, manufacturers should have learned some hard but obvious lessons about hard-coded references to NTP servers!
The Advanced menu offered options for more detailed configuration changes. Under the heading of user-management, I could create, delete and change individual user accounts, but found no explicit “Group” management capabilities. Under the Samba menu heading, I found that I could change the same options that appeared under the Basic menu, but could also define and manage network shares, or “Sessions” as the menus call them. Sessions could be restricted to to individual users or defined as read-only for all users.
On the Add Session screen (Figure 4), I was puzzled by the specification for the disk path to be shared. As shown in Figure 4, the Path item includes a textbox for the path specification, and an Open button.
Figure 4: Setting shared folders on the TS-U200
Pressing the Open button or attempting to type into the form textbox both produced a nearly blank screen with another textbox and an OK button, as shown in Figure 5. And any attempt to type into this textbox was erased immediately, while pressing OK simply returned me to the original form with no changes.
Figure 5: This mystery textbox resulted from browser compatibility issues
Eventually I realized this text-entry form just didn’t work properly wither with my Safari or FireFox browsers. It worked correctly only with Internet Explorer, where it listed all shares available for selection, as shown in Figure 6.
Figure 6: Setting shared folders on the TS-U200
Tip: As a work-around when using my other browsers, I learned that I could “View source” for the configuration Web page, then cut-and-past the proper value from the source into the field inside the browser itself.
Once Sessions are defined, they can be modified or deleted quite easily, and the final Samba menu enables share access to be restricted on the basis of IP address. After I set up my network shares / sessions, I was able to mount and use them normally from all operating systems on my LAN including my Windows XP laptop, Macintosh iBook, and Linux laptop.
Next, I went into the CR Backup menu where I was allowed to specify which disk to use to back up memory cards. Once I had this configured, I performed a quick test by inserting a Compact Flash card into the unit, and pressing the Backup button on top. After a few seconds I checked my destination drive, where I found a new directory named with the current date and time at the time of backup. Inside that directory, I found a copy of the directory structure from my Compact Flash card. Very handy!
Also found under the Advanced menu are the FTP server controls. As shown in Figure 7, you can enable the FTP server and fully customize it with a non-standard port number, directory path, maximum number of simultaneous users, flow control and timeout settings, etc.
Figure 6: FTP Server configuration on the TS-U200
The final option section inside the configuration menu is Maintenance, where you can upgrade the firmware, reset everything to default values, and set user idle timeout values for web configuration screens. A couple of obvious things I didn’t see included were an alert mechanism for problem reporting, or any sort of logging service or reporting to help monitor this device. Most of the other devices of this kind offer at least one of these features, if not both.
Once I had explored all the configuration options, I logged out and landed back at the initial login screen where I was then able to explore the Download Schedule menu. This menu allows you to set up either repeating or one-time downloads from FTP and HTTP, i.e. Web, sites (Figure 7).
Figure 7: Download scheduling on the TS-U200
When I pointed the device at a FTP server on my network, it succeeded in downloading everything to the specified share. I also set up a repeating job to download a current weather satellite photo from a web site, which also worked well. The TS-U200 did not appear able to be able to back up from a network share to the TS-U200, but a couple of quick tests soon proved otherwise.
I measured read and write file system performance for the device using the iozone tool as described here. All tests were run under Windows XP SP2 on a Dell Inspiron 1000 laptop with 384 MB of RAM installed.
NOTE! How fast a computer can read or write data to a drive depends on many factors specific to the system running the test, so this test may not represent actual performance you’d see on your own system. The maximum theoretical data transfer rate one would expect to see on a 100Mbit network is around 12,000 kBps, so any values that exceed that number appear as a result of caching behavior, not network speed.
Figure 8 shows the results of the read test, while Figure 9 shows the write test. Peak (cached) write performance is in line with other consumer NAS devices I’ve tested, but peak read is on the low end.
To put these results in perspective, I also ran the same iozone tests against a number of similar devices, including:
The comparative results shown in Figures 10 and 11 are taken with a 128MByte file size, which is large enough to bypass OS caching effects and show the hardware-limited performance of NAS devices.
You can see that the TS-U200 falls at the bottom of the pack. In fact, the next slowest device is more than twice as fast as the TS-U200. For comparison, the NSLU2 – which also uses an external USB 2.0 drive – clocks in four times faster when writing.
Since the TS-U200 did so poorly in these tests, I ran them twice to make sure something hadn’t gone wrong, but it didn’t help. I even took the same USB enclosure and drive, plugged it into the USB port of a Maxtor Shared Storage NAS [reviewed here] and ran an iozone test, with significantly better results. So it appears that TRENDnet clearly has plenty of room to improve the TS-U200’s performance!
Under the Covers
There’s not a huge amount of stuff packed inside the TS-U200’s diminutive enclosure. Figure 12 shows the primary circuit board, with the card reader daughter board piggybacked on top. The large NEC chip you see is a USB 2.0 Controller.
Figure 13 is the same board, but with the chip reader daughter board flipped up to reveal the main CPU chip. It’s an ADM5120, which is a MIPS-based CPU that includes built-in Ethernet support.
As with other NAS devices I’ve reviewed, there was no doubt that the TS-U200 runs Linux internally since TRENDnet provides a downloadable GPL package. But although I knew it ran Linux, I needed run-time access to really see what was going on. So I did a network port-scan of the box, but that turned up nothing more than a web, FTP, and Samba servers running. I could also FTP into the box, but once in, could see nothing outside the files in the shared folders, and simple attempts to get into the operating system directories from the FTP prompt failed.
Then I recalled that when configuring the FTP server, a path could be specified. My workaround for the Sessions configuration browser-related problem showed that I could easily cut-and-paste into the field rather than using pre-defined values. Although all paths had to be made relative to the shared library, a few attempts showed that I could “pop” up levels with a path like the following:
Once the FTP server was told to use this path, I could FTP into the box and obtain full unfettered access to any directory or file the FTP user could access. This allowed me to browse through the operating system directories where I could see lots of interesting information. As in so many of the consumer NAS devices I’ve reviewed, busybox was used heavily.
Looking into the
proc filesystem also revealed 32 MegaBytes of RAM installed, and as Figure 13 shows, the CPU was reported as a MIPS based Adm5120 running at 175 MHz. The Linux kernel version was a customized 2.4.18 and Wget evidently provides the TS-U200’s download capability. Rummaging around a bit more turned up a reference to Cellvision, and a visit to their web site turned up a similar product, which may indicate that they are the OEM for this device. Similar poking around revealed that the web server for this box appears to be GoAhead.
Anatomy of a Hack
I’m always interested in customizing these boxes, so as I looked through the directories using the FTP interface, I kept an eye out for a place where I could get my own code to run such as a telnet or web server, or some additional program for customization purposes. But the directory structure appeared to be in a RAM disk and very well buttoned down with appropriate protections where only the “root” user had permission to write. I tried a few things, but got nowhere, so it was time to take a different approach.
Web applications are often the source of many security holes and any time user input is accepted, it’s essential for programmers to validate such input. So while I was playing with the “Download” feature, I wondered if the URL I entered would be passed on without validation. In a Unix-like system, two commands can be executed on a single line in any number of ways. The simplest way is to separate two commands with a semicolon.
So if the URL I entered was passed on unmodified, all I would have to do is tack a new command onto the end of the URL separated with a semicolon, such as the Unix command:
to the end of a bogus URL, making the final URL read as follows:
If this worked when I submitted the URL, I would find a listing of all running processes in a file named
log located in the
/tmp directory. Fortunately, the Download form even has a handy Test button to permit URLs to be tested, so I could try different options without having to define a real download job.
So for my first attempt, I entered the URL above and hit the Test button. Then I FTP’ed into the box, went to the
/tmp directory and Voila! I found a file named
log. Even better, looking into the file revealed this line along with all of the other processes:
1609 root 396 S sh -c wget -T9 -t1 -V http://a/;ps>/tmp/log
This confirmed my guess that the command in the URL was passed directly to a command shell without modification. Even better, it ran with root privileges! Game over. I now “owned” this box and could do anything I wanted. To make life a bit easier, I verified I could run a custom script from the hard drive.
Since my Linksys WRT54G is also a Linux-based MIPS box, I grabbed a web server from my WRT54g distribution, put the executable on the hard drive, and added commands to my script to start it up on port 8000. So when I executed my script from the Download page, I had a new, custom web server running on port 8000. At this point I was confident that given time, I could take the box as far as I wanted, adding an MP3 server, a database, and so forth.
NOTE! This vulnerability has been reported to TRENDnet, which is in the process of creating new firmware to close this security hole. Howver, the firmware available at the time of this review’s posting (TSU200.1.86.0325.2005.zip) contains the security hole.
The TS-U200 offers an interesting mix of features at a price point within range of similar products. Its card reader functionality is well done (although it would be better if it could also automatically copy data from USB flash keys) and the “Download” feature is unique among all NAS devices I’ve tested.
But this little guy has downsides as well, with the security hole I turned up being the biggest “uh-oh”. While casual users won’t notice it (and I might not have, had I not been doing my usual poking around for ways to get at the TS-U200’s Linux underbelly), you should not place the TS-U200 directly on the Internet or expose its FTP, Telnet or HTTP ports to the Net via router port forwarding until TRENDnet releases a fix.
However, what many users will notice is the product’s slow file system performance – significantly slower than any other product in my 128MByte file transfer comparison. You might get by if you’re using it for casual file serving, but if you’ll be frequently moving large audio and video media files to and fro with it, you probably won’t be happy.
Finally, if you’re trying to decide between the Linksys NSLU2 and the TS-U200, I’d be remiss if I failed to mention another area where the NSLU2 bests the TS-U200. The NSLU2 boasts a large and active development community that works hard to extend the stock capabilities of the device far beyond its original scope. TRENDnet may have intended for the TS-U200 to compete with the NSLU2, but if so, they’ve fallen short of that goal.