Mark,

Openwall is one of the better free lists out there. BT5 has darkc0de in it
(17mb). I can't think of any others that you don't have to pay for. However,
you can pass rules to JTR for creating word permutations on the fly to
expand your list (use the --rules option [note: default rules will increase
the dictionary size about 40x]) or add entries yourself to the text file. If
you have a good guess as to words the password probably contains, you could
use that with the word rules to make a custom dictionary to run against it.
Given how long your first dictionary attack ran, though, I would say that
getting a larger dictionary (and you can get some that are several gigs)
might be prohibitively time consuming. If you really want to go that route,
then I'd try it with something like hashcat or other hash generator that can
utilize a GPU. Even economy ATI and Nvidia cards can greatly speed the
process.

Just a thought, do you know if JTR is running the right hashing algorithm?
The first number in the /etc/shadow file should tell you. Not too long ago I
wasted a few hours waiting for JTR to crack the wrong hashed password before
I realized what happened. The --format option will take care of that.

This may be a silly question, but is it possible to boot the NAS in rescue
mode? If that's not an option, the only other alternative I can think of
would be looking for services vulnerable to privilege escalation.
http://www.exploit-db.com/ might have some useful code for that. Just do a
search for some of the services on the system.

I hope it works out!