Installing an updated OpenWRT image.

OpenWrt Sysupgrade

OpenWRT has a command, sysupgrade, that is used to upgrade the flash image from an update file. I have not been able to get this to work, and have ended up installing LUCI, the web configuration interface, every time I need to update the root file system.

opkg install luci

This opens another can of worms, since lighttpd is happily serving pages on port 80, where LUCIs web server, uHTTPd, wants to be. To get around this, I told uHTTPd to use some other ports. To do this, change the ports in the lines containing listen in /etc/config/uhttpd, like so:

config uhttpd 'main'
    list listen_http ''
    list listen_http '[::]:8080'
    list listen_https ''
    list listen_https '[::]:4430'

Then restart uHTTPd:

/etc/init.d/uhttpd restart

LUCI will now be available on the current IP address, on port 8080 and encrypted on 4430. Use the root user/password to login in, and use openwrt-oxnas-stg212-ubifs-sysupgrade.tar to update the device.

After flashing the firmware, all packages need to be reinstalled. Opkg will probably complain about changed config files, but this just means our configuration changes have been kept.

After getting Gentoo to run on the Medion NAS in these posts,

I learned that OpenWRT had been ported to the oxnas platform. This appealed to me, as OpenWRT is installed on the internal flash. Honestly the Gentoo installation I had on the HDD, was better suited as a web server, but I just wanted to play with OpenWRT. The only real reason for using OpenWRT instead of Gentoo, is in the hopes that the OpenWRT folks will keep the kernel updated.

I still have my web page, and the files from which it is generated, on a hard disk drive, connected to the SATA port.

I recommend having a serial connection to the NAS running at all times.

Installing OpenWRT bootstrap.

This operation can only be executed once, and may brick your device, after the bootstrap there is no way to restore the original firmware. Because of this I can not actually check that these steps are exactly right, but they are what i recall.

To bootstrap the installation I used the binary image from Gitorious openwrt-oxnas.

Setup a HTTP server on a computer to serve openwrt-oxnas-stg212-u-boot-initramfs.itb. Telnet into the NAS using the backdoor described on Login to the web-interface on the NAS, then open http://(NAS IP)/r36807,/adv,/cgi-bin/remote_help-cgi?type=backdoor (you may have to replace the /rXXXXX,/ with the revision number shown in the URL after login). The browser will wait for the CGI script to (never) end, while it’s doing that telnet into the NAS. Login with user root and the password also used by the web interface (default is 1234).

telnet (NAS IP)

After logging in, download the OpenWRT image to /tmp/tmpfs. Look in /proc/mtd and make sure kernel is in /dev/mtd4. Write the image to /dev/mtd4, tell U-Boot to boot from it, and reboot.

cd /tmp/tmpfs wget http://(server IP)/openwrt-oxnas-stg212-u-boot-initramfs.itb
cat /proc/mtd 
nandwrite /dev/mtd4 openwrt-oxnas-stg212-u-boot-initramfs.itb 
fw_setenv boot_stage2 nand read 64000000 440000 90000\\; go 64000000
fw_setenv bootcmd run boot_stage2 reboot

This is where the serial connection comes in handy, for watching the boot process. If everything went well LUCI, OpenWRT's web interface should be available on the NAS on address When you have compiled a new OpenWRT image you can flash it, by using LUCI.

Building OpenWrt.

OpenWrt Buildroot – About.

Since, for now, oxnas support is only in OpenWRT trunk, everything needs to be build.

I build this on a Gentoo system, which seems to need automake-1.14 installed for glib2 to build.

Getting the sources.

Change into the directory where you want the sources to reside and do:

git clone git:// 
cd openwrt

OpenWRT uses

To have the standard set of packages available for OpenWRT copy feeds.conf.default to feeds.conf.

cp feeds.conf.default feeds.conf

Custom feeds.

If you just want a web server, and do not need setuptools for Python 3, or my shiny site generator, you can skip this step.

I have made a couple of custom feeds, that addresses some specific Python 3 needs I have for my static site generator. To have these packages available add the following to feeds.conf:

src-git packages
src-git deadbok

Comment out the original package line in the file.

Update and add the feeds.

Add the packages to the build system.

./scripts/feeds update -a
./scripts/feeds install -a

Configuring the sources.

I have configured a lot of stuff, that I am not using right now, as modules, so that I can later install them if I find a need. This increases the build time, so it is a trade off compared to building just the packages that you want right now. You can download my configuration file, and use it as a basis for your own configuration.

mv openwrt-config .config

To configure the OpenWRT build run make menuconfig in the source directory.

I can not describe every configuration option, but here are some important ones.

First to build OpenWRT for the NAS these tell the build system about the basic hardware:

Target System (PLXTECH/Oxford NAS782x/OX82x)
Target Profile (MitraStar STG-212)

Under Target Images select

  • ubifs is the file system of the images we will be building for the NAS.

  • ramdisk I always build a RAM disk as well, since it can be used to unbrick the device, if you can still access the boot loader through the serial connection. Under Target Imaqes -> ramdisk make sure xz compression is selected.

Under Global build settings I enable at least

  • Enable shadow password support to have encrypted passwords for users in /etc/shadow.

  • Support for paging of anonymous memory (swap) To enable swap functionality in the kernel.

  • I disable all kernel debugging features, as this is a production environment.

If you want to develop or debug the build process of packages in OpenWRT enable Advanced configuration options (for developers), some sub-options that I use are:

  • Automatic rebuild of packages rebuilds packages when their files changes.

  • Enable log files during build process log build output in files under log/.

Under Base system

  • ca-certificates build as a module for STFP, HTTPS etc.

  • Enable the firewall as you might want to close everything to the outside.

  • busybox is customized for the multi user setup we will do later.

    • Customize busybox options enabled.
      • Busybox Settings.
        • General Configuration.
          • Support Unicode enabled to be on the safe side.
          • Support for SUID/SGID handling needed for the su command.
      • Coreutils.
        • groups, id, chmod, chown enabled.
      • Login/Password Management Utilities.
        • Support for shadow passwords same as earlier.
        • Use internal password and group functions rather than system functions enabled.
          • Use internal shadow password functions enabled, to use busybox functions instead of the shadow package.
        • adduser, addgroup, deluser, delgroup, passwd, enabled.
        • su, enabled.
          • Enable su to write to syslog, enabled. Root access will be logged.
      • Miscellaneous Utilities.
        • crond which I think is enabled by default.
        • crontab which I think is enabled by default.

In Kernel modules I believe that everything needed is enabled by default, but there is a little more stuff that is nice.

  • Block Devices
    • kmod-loop as module. Loop devices are so neat.
  • Filesystems enable whatever you may need.
  • LED modules these might be fun.

In Languages I enable python3 and setuptools for my static site generator.

In LuCI make sure to enable the basic interface and build it as a module. LuCI is the only reliable way I have been able to flash a new image to the NAS.

In Network a lot of things like web servers hide.

  • File Transfer, I have curl, rsync and wget compiled as modules.
  • SSH enable openssh-sftp-server for SFTP access.
  • Web Serves/Proxies enable a web server, I use lighttpd.
  • Enable webalizer if you want site statistics.


The CA-certificates package expect python to point to a python 2.x interpreter, my Gentoo system uses Python 3, which leads to missing certificates. I made a patch, that you can drop into packages/system/ca-certificates/patches in your OpenWRT directory, if you run into this.

To build everything just run make. To see all output from the build process use:

make V=s

The images end up in bin/oxnas, along with the packages. I flash openwrt-oxnas-stg212-ubifs-sysupgrade.tar using LuCI.

Adding custom packages.

OpenWRT wiki: OPKG Package Manager

I have chosen to compile most of the software I use, in this installation, as packages that must be installed after flashing the static image. Some of these packages are only installed for my own personal convenience, and some because they are needed for my static site generator.

Serving packages for OpenWRT.

Like when installing the bootstrap image you need a web server with the package files available to OpenWRT. I assume that the OpenWRT package tree is copied to the root of the server. You could copy the package files to the HDD, but I have not tried that. /etc/opkg.conf need an adjustment to tell opkg (the package manager) where to find the packages:

dest root /
dest ram /tmp
lists_dir ext /var/opkg-lists
option overlay_root /overlay
src/gz base http://serverip/packages/base
#src/gz telephony http://serverip/packages/telephony
src/gz deadbok http://serverip/packages/deadbok
src/gz packages http://serverip/packages/packages
src/gz routing http://serverip/packages/routing
src/gz luci http://serverip/packages/luci
#src/gz management http://serverip/packages/management

Replace severip with the IP address of the computer serving the packages.

Update the package index.

opkg update

Installing required packages.

File systems:

opkg install kmod-fs-ext4 swap-utils opkg e2fsprogs
modprobe ext4

Web server:

opkg install ca-certificates
opkg install lighttpd lighttpd-mod-accesslog lighttpd-mod-compress
opkg install lighttpd-mod-status lighttpd-mod-alias lighttpd-mod-access
  • lighttpd-mod-accesslog: Log access to the web server to a file.
  • lighttpd-mod-compress: Compress data before sending them to the client. +lighttpd-mod-status: Publishes some status information about the server. +lighttpd-mod-alias: Allows you to point an URL at a specific directory. +lighttpd-mod-access: Restrict access.

Installing the optional packages.

These are just tools that are nice to have.

File manager:

opkg install mc

Easy editor

opkg install nano

SFTP server:

opkg install openssh-sftp-server

USB mass storage support (aka. USB stick)

opkg install kmod-usb-storage-extras

Installing packages for ssg.

Python 3:

For some reason my package does not pull in the Python 3 dependency correctly, therefore the package python3 must be installed first.

opkg install python3
opkg install python3-setuptools


Links in /usr/libexec/git-core/ are wrong, this is corrected by creating the symlink, see Bug #11930.

opkg install git
ln -s $(which git) /usr/libexec/git-core/git

Final configuration.


System configuration

Global configuration is done in /etc/config/system. I sent the logs to a file on the HDD, and limited it at 1Mb in size. You should configure the host name and time zone to your local preferences.

The log levels of different subsystems is configured in this file as well. Notice that for conloglevel and klogconloglevel a higher number means more verbose, while for cronloglevel it is the other way around.

I have not touched the time server configuration, I only use the client part, and it worked out of the box.

config system
        option hostname         OpenWRT
        option log_file         /mnt/data/log/messages
        option log_size         1024
        option log_type         file
        option timezone         Europe/Copenhagen
#Log levels 1-8
#Higher is more verbose
        option conloglevel      4
#Lower is more verbose
        option cronloglevel     4

config timeserver ntp
        list server   
        list server   
        list server   
        list server   
        option enabled          1
        option enable_server    0

Mount points.

Fstab Configuration

There are two "disks" in the system, the internal flash, and the HDD connected to the SATA port.

  • / OpenWRT on the internal flash.
  • /mnt/data Root of the connected HDD.
  • /mnt/data/www Root of the pages served by lighttpd.
  • /mnt/data/log System log files.
  • /mnt/data/tmp Temporary files.

OpenWRT uses /etc/config/fstab to configure mount points.

config global
    option  anon_swap   '0'
    option  anon_mount  '0'
    option  auto_swap   '1'
    option  auto_mount  '1'
    option  delay_root  '5'
    option  check_fs    '1'

The global section tells OpenWRT, to not mount any drives that do not have their own section in fstab (anon_). Auto_ to mount any file system and swap space, from the fstab. Delay mounting for 5 seconds, and perform a file system check if needed.

config mount
    option target       '/mnt/data'
    option fstype       'ext4'
    option options      'rw,sync'
    option enabled      '1'
    option device       '/dev/sda2'
    option enabled_fsck '1'

This section configures /dev/sda2 as an ext4 partition with read-write access, and mounts it at /mnt/data.

config swap
    option device       '/dev/sda3'
    option enabled      '1'

Last is the swap space from `/dev/sda3'.

Create the mount point and mount the partitions.

mkdir /mnt/data
block mount

Create directories for web server, logs, and temporary files.

mkdir /mnt/data/{www,log,tmp}

Adding users and groups.

OpenWRT is not build to be a multiuser system, but it is possible to configure it like that. There are two options, either use shadow like a desktop Linux system, or use busybox build in user handling. I have used the busybox version, since it is lighter.

User directories are kept on the HDD and linked into the root file system.

mkdir -p /mnt/data/home
ln -sf /mnt/data/home /home

Users are added using the adduser command. Replace username with the user name you want.

adduser username

Next create the user directory and set the permissions.

mkdir /mnt/data/home/username
chown -R username /mnt/data/home/username
chmod 700 /mnt/data/home/username

I still want root access, but I to log in as a regular user and su to the root account, like a desktop system. Busybox needs some setup for the su command to work.

chmod u+s /bin/busybox


su = ssx root.root

Disabling root access from ssh.

Dropbear Configuration

Now that su works, there is no reason to allow root access through ssh, if you do not need ssh it would be even better to disable it.

For non root access: /etc/config/dropbear

config dropbear
    option PasswordAuth     '1'
    option RootPasswordAuth '0'
    option RootLogin        '0'
    option Port             '22'

Disable ssh enterily:

/etc/init.d/dropbear disable

File system permissions.

Permissions for /mnt/data/www/, the directory served by lighttpd.

chown http:www-data /mnt/data/www/

Configuring lighttpd.

Configuring Lighttpd, Lighttpd Secure Web Server Tutorial

Configuration is done in /etc/lighttpd/lighttpd.conf:

#Include the accesslog module to log web site access
server.modules = ( "mod_accesslog" )

#Root of the webserver is at /mnt/data/www
server.document-root        = "/mnt/data/www"

#Where uploaded files are stored    
server.upload-dirs          = ( "/mnt/data/tmp" )

#Where errors are logged
server.errorlog             = "/mnt/data/log/lighttpd/error.log"
#Process id             = "/var/run/"

#User and group that the server runs as
server.username             = "http"
server.groupname            = "www-data"

#Do n ot send server version
server.tag                  = "youdliketoknow"

#Use index.html if root is requested
index-file.names            = ( "index.html" )
#Disable auto index directory listings
dir-listing.activate     = "disable"

#Limit request method "POST" size in kilobytes (KB)
server.max-request-size  = 1

#Disable multi range requests
server.range-requests    = "disable"

#Disable symlinks
server.follow-symlink    = "disable"

#Debug options
debug.log-file-not-found    = "enable"

#Access log module
accesslog.syslog-level      = "6"
accesslog.filename          = "/mnt/data/log/lighttpd/access.log"

#Port to bind to
server.port                 = 80

include       "/etc/lighttpd/mime.conf"
#include_shell "cat /etc/lighttpd/conf.d/*.conf"

I have disabled symlinks in this configuration, which means that the web root directory, cannot be a symlink. You will get something like 403 Forbidden if you try. The same goes for symlinks inside the web root directory, they won't work.

You can change this behavior by changing server.follow-symlink = "disable" to server.follow-symlink = "enable", but i encourage you to read this answer on Server Fault.

Enable lighttpd at boot.

/etc/init.d/lighttpd enable

I did not compile in netfilter in the cross compiled kernel I made in the previous post, so I had to recompile. Here is how to compile and install the kernel natively on the NAS.

Install mkimage.

The package u-boot-tools is needed to get the mkimage command to make an U-Boot kernel image.

emerge u-boot-tools

Compile the kernel.

Go to the sources and reconfigure them using menuconfig.

cd /usr/src/linux
make menuconfig

Compile kernel.

make zImage ox820-pogoplug-pro.dtb

Compile and install modules.

make modules
make modules_install

Create the kernel image.

cat arch/arm/boot/zImage arch/arm/boot/dts/ox820-pogoplug-pro.dtb > arch/arm/boot/zImage.fdt
scripts/ -A arm -O linux -C none -T kernel -a 0x60008000 -e 0x60008000 -n 'Linux-3.11.1+' -d arch/arm/boot/zImage.fdt arch/arm/boot/uImage

Write the image to the disk.

Edit the disk_create script to change the target drive in the variable disk to /dev/sda.

Integrate the new kernel into WarheadsSE's tool.

cd /usr/src/disk_create
cp /usr/src/linux/arch/arm/boot/uImage uImages/gentoo

Write the image.



Happy hacking.

I was given a Medion MD86517 NAS without a drive for free. I wanted to put a 2.5" disk in it, and use it as a web-server. The NAS runs Linux, and the sources are here.

A large part of the installation was done on a regular Gentoo x86/x64 PC, using a SATA to USB converter. Start with a clean drive with no partitions, connected to the host computer (Not the NAS).

During the install, I have aimed to have all files needed for a new intall, located on the NAS drive itself, in the hopes that it will make a reinstall, easier. You can of course remove these files from /usr/src, if you do not want this.

Much of this stuff needs root permissions, and all the NAS side stuff is done through a serial connection. If something is unclear, read The Gentoo handbook, this is in essence the same procedure, except I boot into the system instead of chrooting.

A lot of thanks and credit to the people in this thread, without whom I would never have gotten on the right track.


To boot from the SATA disk, a special partition layout is needed. The ox820 reads the start of the drive, to check if it is bootable. A script has been written to put the right data in the first part of the hard disk. Download disk creation files created by WarheadsSE, extract the files somewhere, and enter that directory. Edit the disk_create script to change the target drive in the variable disk.

Creating the partitions

Prepare the disk using WarheadsSE's tool.


Fire up fdisk to partition the disk.

fdisk -c=dos /dev/sdb
  • Create a small partition for U-Boot, stage1, and the kernel. WarheadsSE recommends a 10M partition. This partition must start at sector 2048.

  • Create a second partition for the root file system, leave a little space left for a swap partition.

  • Create a third partition for swap space. Set it as swap type.

Format the second and third partition, I use ext4 as the root file system.

mkfs.ext4 /dev/sdb2
mkswap /dev/sdb3

Last, mount the second partition to /mnt/gentoo, your partition may have another designation than /dev/sdb.

cd /mnt
mkdir gentoo
mount /dev/sdb2 /mnt/gentoo

Root file system

Download a stage 3 Gentoo for ARM5, and extract it to /mnt/gentoo. Though the processor is ARM6 compatible, I could not get it to boot beyond the kernel using and ARM6 stage 3.

tar -xvjpf stage3-armv5tel-20140115.tar.bz2 -C /mnt/gentoo

Set the baud rate in /mnt/gentoo/etc/inittab to 115200. Change:

#s0:12345:respawn:/sbin/agetty -L 9600 ttyS0 vt100


s0:12345:respawn:/sbin/agetty -L 115200 ttyS0 vt100

Copy resolv.conf from your host /etc directory, to have DNS working.

cp -L /etc/resolv.conf /mnt/gentoo/etc/resolv.conf

Create a link from net.lo to net.eth0 to enable the network at first boot.

cd /mnt/gentoo/etc/init.d
ln -sf net.lo net.eth0

Edit /mnt/gentoo/etc/fstab to set the devices for the root and swap file system. The file should contain something like this:

#/dev/BOOT              /boot           ext2            noauto,noatime  1 2
/dev/sda2               /               ext4            noatime         0 1
/dev/sda3               none            swap            sw              0 0
#/dev/cdrom             /mnt/cdrom      auto            noauto,ro       0 0
#/dev/fd0               /mnt/floppy     auto            noauto          0 0

Copy passwd and shadow from the running system to have your logins and passwords when you boot the NAS.

cp /etc/passwd /mnt/gentoo/etc/passwd
cp /etc/shadow /mnt/gentoo/etc/shadow
cp /etc/group /mnt/gentoo/etc/group

Select mirrors for portage.

mirrorselect -i -o >> /mnt/gentoo/etc/portage/make.conf
mirrorselect -i -r -o >> /mnt/gentoo/etc/portage/make.conf

Set the timezone.

echo "Europe/Copenhagen" > /mnt/gentoo/etc/timezone

Set the hostanme.

nano -w /mnt/gentoo/etc/conf.d/hostname
nano -w /mnt/gentoo/etc/hosts

Set the keymap (just in case).

nano -w /mnt/gentoo/etc/conf.d/keymaps

Last edit and change UTC to local if needed.

nano -w /etc/conf.d/hwclock


You will need an ARM cross-compiler, Gentoo's crossdev comes in handy.

crossdev -t armv5tel-softfloat-linux-gnueabi

Clone linux-oxnas into /mnt/gentoo/usr/src.

cd /mnt/gentoo/usr/src
git clone
ln -sf linux-oxnas linux

cd linux-oxnas
make ARCH=arm ox820_defconfig CROSS_COMPILE=armv5tel-softfloat-linux-gnueabi-
make ARCH=arm menuconfig CROSS_COMPILE=armv5tel-softfloat-linux-gnueabi-

Boot options --->
[*] Use appended device tree blob to zImage (EXPERIMENTAL)
[*] Supplement the appended DTB with traditional ATAG information
disable PCI support if you device does not have one

Remember to compile in support for the root file system type, if you did like me this means enabling the ext4 file system.

File system  --->
<*> The Extended 4 (ext 4) filesystem

Compile and create kernel image.

make ARCH=arm zImage ox820-pogoplug-pro.dtb CROSS_COMPILE=armv5tel-softfloat-linux-gnueabi-

cat arch/arm/boot/zImage arch/arm/boot/dts/ox820-pogoplug-pro.dtb > arch/arm/boot/zImage.fdt

scripts/ -A arm -O linux -C none -T kernel -a 0x60008000 -e 0x60008000 -n 'Linux-3.11.1+' -d arch/arm/boot/zImage.fdt arch/arm/boot/uImage

Final disk creation

Copy WarheadsSE's disk creation files (contents of onax-sata-boot.tar.gz) to the /mnt/gentoo/usr/src.

mkdir /mnt/gentoo/usr/src/disk_create
cp -Rv (Where you unpacked the files)/* /mnt/gentoo/usr/src/disk_create

Integrate the new kernel into WarheadsSE's tool.

cd /mnt/gentoo/usr/src/disk_create
cp /mnt/gentoo/usr/src/linux-oxnas/arch/arm/boot/uImage uImages/gentoo
rm uImage
ln -sf uImages/gentoo uImage

Preparing for first boot

Unmount and sync the disk.

cd /
umount /mnt/gentoo

Remove the drive from the host computer and physically install it in the NAS.

First Boot

Set the clock. MMDDhhmmCCYY is month, date, hour, minute, century, year

date MMDDhhmmCCYY

Get the portage tree.

emerge --sync

Set the Profile.

eselect profile list

I selected default/linux/arm/13.0/armv5te.

eselect profile set 18

Configure the locales, first put the locales you want supported in locale.gen.

nano -w /etc/locale.gen

Generate the locales and select the system-wide one.

eselect locale list
eselect locale set *locale nr.*
env-update && source /etc/profile

Add the network interface to the startup.

rc-update add net.eth0 default

Update and install some needed stuff.

emerge -uDNv world ntp cronie syslog-ng openssh logrotate dhcpcd

Add it to the startup.

rc-update add syslog-ng default
rc-update add cronie default
rc-update add sshd default
rc-update add ntp-client default
rc-update add swclock boot
rc-update del hwclock boot

The end

You now have a basic Gentoo system running, from here you can install a web server, a DLNA server, or whatever you want.

Generated on 2018-05-03 01:14:21.918461