The StorCenter ix2-200 is a RAID network drive supplied by iomega. I have used the 2TB version for about two years now to keep secure (backed up) copies of my precious data. Any data I write to the device is mirrored on its paired 2TB drive inside the unit, so one drive can fail and I’ll still keep my data.
Recently I’ve had cause for complaint with this unit’s default network setup routine. When you switch the device on it goes through a boot-routine which involves setting up the network address and subnet. If possible it does this via dhcp so if you’ve got it connected to your router it’ll be assigned an appropriate IP and will be instantly visible on the network.
The problems start when, for whatever reason, the device is not able to obtain network settings via dhcp. In that case it assigns itself an address in the range 169.254.x.x with subnet 255.255.0.0. In that case the network drive could end up with one of 65536 possible IP addresses in that range. How is one supposed to know what IP address it’s assigned itself?
I had two choices. Set my computer to scan all of the 65536 possible IP addresses until it finds an active one. Or, take the unit apart and see what hardware hacking can be done. The former is probably quicker, but the latter is more fun. Hence, this hardware hacking blog was born.
With the unit apart, I found a conspicuous looking pin header called JP1. A few pokes around with my ‘scope revealed what looked like microprocessor level (3.3V) RS232 comms on one of the pins.
Completing the hack…
The next task was to try and see if I could view these signals on a PC. The main problem here is the fact that the data output is 3.3V logic levels (basically it’s the raw output from a microprocessor) and the RS232 input to a PC is +/-12V standard RS232 logic levels. It’s easily solved though, you just need to get yourself an RS232 level-shifter chip such as a MAX3232 and rig-up a circuit as per my schematic shown below, and then connect it to JP1 (as shown on the schematic) according to the pinout in the photo.
I only had an SMT version of the MAX3232 part in my junk bin so I soldered it onto some proto-board with the 0.1uF capacitors tacked on top and then I wired it up to JP1 as shown in the photo below.
Viewing the data on the PC.
In order to view the data on a PC you simply need to put everything back together, connect the ends of your cables to a DB9 connector as shown in the schematic, and then connect the DB9 connector to your PC’s serial port via a standard 9-way serial cable. Then fire up a terminal (I recommend PuTTY) and enter the following settings:
Once you’ve entered in the settings, select connect, and power on the NAS. If all goes well some boot-time debug data should start spitting out on the terminal. Something like that shown below:
After 2-3 minutes you should be presented with a login prompt. If you want to gain root access to the NAS over your PC terminal simply log in with the following credentials:
That’s it – you’re in with root privileges. You can now enter the standard Linux commands and change whatever you wish. My main reason for going to all this trouble (apart from enjoying hardware hacking) was to find out the boot-time network settings it was assigning itself. Once I knew those I was able to gain access via the standard PC based web interface and change the settings to suit my home network.
I hope you enjoyed! Here is a quick video of the entire boot process and logging in: