Here is the ZyXel NSA-320 in all its glory. To give you a feel for its size, that's a 3.5 HDD with an external 2.5 HDD. The ZyXel supports two internal 3.5 SATA HDD, has 512 MB ram, 128 MB of flash and a 1.2 GHz ARM926EJ-S CPU. So only 300 MB less on RAM than the MK802, but makes up for it in lots of other ways. For £60 this thing is a beast!
First off, in order to flash it, we need to get a root telnet session on the box. This is actually really simple, taking advantage of the development telnet back door. Typically, everything like this sort of device will have a back door of some description, since there needs to be a way of debugging devices in test harnesses when they go wrong. Test harnesses typically have to run the releasable software/hardware, otherwise it's not really a valid test. If something goes wrong and it's not reproducible and you have no way of logging on to investigate the failure, you have a potential PR disaster on your hands. So, pave the way to the inevitable back doors!
The back door on this can be enabled by logging onto the device web interface in administrator mode. Make a note of the path element I have highlighted with a red circle; you will need this to enable the telnet back door.
Having just logged in and using that part of the path, access the following URL (substituting accordingly): http://10.42.0.48/r38571,/adv,/cgi-bin/remote_help-cgi?type=backdoor
After this, you will get a blank screen and the back door will be accessible for a limited time:
Now for the fun part. The login is not simply the login you used for the web interface, it is a hash of the device's MAC address, but using a special ARM binary found on the NSA-320 itself. So catch 22, you need to get access to the NSA-320 in order to get access to the NSA-320. Fortunately, I have a work around, since you can download the utility and run it with qemu-arm. You just need your device's MAC address, which is on the system status page of the administration web interface. Ensure you use a capitalised MAC address, since anything else will result in a different hash.
Download the makekey utility here: makekey utility
Install qemu and libc6-dev-armel-cross, then ensure you have qemu-arm available at your disposal. To get the "root" password, run the makekey like so:
Armed with your privileged user's password, you can log into the telnet back door. Repeat the process above and get the telnet session open, then login with the user: NsaRescueAngel
And there you have it, a privileged BusyBox shell on your NSA320. I will post a follow up demonstrating how to use the boot loader to boot your preferred ARM Linux distribution.