SenaoWRT Linux 2.6 - 3.0 Failsafe Platform

Senao SDK used by several vendors includes a patched U-boot bootloader that uses checksums to verify kernel and rootfs, and a failsafe image that is booted when the checksums fail, in order to upload a new image to flash.

the following information applies to these devices, and many more:

The only guaranteed safe method to move from 19.07 or earlier or old master snapshot to 21.02

is to trigger the OEM failsafe image to boot by rewriting one of the checksums verified at boot

  • Login as root via SSH, then enter the following commands:
fw_setenv rootfs_checksum 0

wait a minute

connect a computer to ethernet and set it to a static address in 192.168.1.x

navigate to

Select the factory.bin image and upload

Standard UART pinout is available on the board.

Pinout is in the following order, with respect to the board.

  1. 3.3 V (white arrow)
  2. GND
  3. TX
  4. RX

uboot can be interrupted by hitting any key

many standard uboot commands like tftpboot and bootm and printenv are available

for some of the devices (like EAP1200H), the TX pin is shorted to ground by a resistor

uboot environment includes a custom command to load the failsafe image

run failsafe_boot

The OEM software is a heavily modified version of Openwrt Kamikaze. Senao SDK uses a script for sysupgrade located at /etc/

Image verification is passed by the successful ungzip and untar of the supplied file and name check and header verification of the resulting contents. To form a factory.bin that is accepted by OEM Openwrt build, the kernel and rootfs must have specific names…

  • openwrt-senao-eap600-uImage-lzma.bin
  • openwrt-senao-eap600-root.squashfs

and begin with the respective headers (uImage, squashfs). Then the files must be tarballed and gzipped. The resulting binary is actually a tar.gz file in disguise. This can be verified by using binwalk on the OEM firmware images, ungzipping then untaring.

Highly recommended to use serial console to load TFTP images. It is not reliable and may take many attempts.

rename initramfs-kernel.bin to 'vmlinux-art-ramdisk' make available on TFTP server at power board hold or press reset button repeatedly

NOTE: for some Engenius boards TFTP is not reliable try setting MTU to 600 and try many times

1. Enable CLI

First, log into the web interface on the EAP600. Then click on the “CLI Settings” link from the “Management” section of the left-hand navigation bar. Click on the radio button for “On” and then press the “Save/Apply” button. If it is already “On”, skip this step.

2. Log in via telnet

Telnet into the device and login with your web credentials. After you do this successfully, you will see a menu and a `eap600>` prompt:

	*** Hi admin, welcome to use cli(V-1.8.10) ***
	---========= Commands Help =========---
	      stat -- Status
	       sys -- System
	    wless2 -- 2.4G-Wireless
	    wless5 -- 5G-Wireless
	      mgmt -- Management
	      tree -- Tree
	      help -- Help
	    reboot -- Reboot
	    logout -- Logout

3. Type in the magic command

Instead of typing in any of the commands from the menu, type in the magic command `1d68d24ea0d9bb6e19949676058f1b93` and press enter. You should then be at a root shell:

	BusyBox v1.19.4 (2015-10-01 07:56:17 CST) built-in shell (ash)
	Enter 'help' for a list of built-in commands.
	  _______                     ________        __
	 |       |.-----.-----.-----.|  |  |  |.----.|  |_
	 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
	 |_______||   __|_____|__|__||________||__|  |____|
	          |__| W I R E L E S S   F R E E D O M
	 KAMIKAZE (bleeding edge, r20146) ------------------
	  * 10 oz Vodka       Shake well with ice and strain
	  * 10 oz Triple sec  mixture into 10 shot glasses.
	  * 10 oz lime juice  Salute!

4. Generate root keys

Before we can enable dropbear (the SSH server that is included in the EAP600 firmware), we need to generate our host keys. You can do that by copying and pasting the following lines into the root shell and pressing enter:

    [ -s /etc/dropbear/dropbear_rsa_host_key ] || \
        { rm -f /etc/dropbear/dropbear_rsa_host_key ; \
        dropbearkey -t rsa -s 2048 -f /etc/dropbear/dropbear_rsa_host_key ; } ; \
    [ -s /etc/dropbear/dropbear_dss_host_key ] || \
        { rm -f /etc/dropbear/dropbear_dss_host_key ; \
        dropbearkey -t dss -f /etc/dropbear/dropbear_dss_host_key ; }

5. Copy over your ssh `authorized_keys`

Dropbear expects the `authorized_keys` file to be in `/etc/dropbear/authorized_keys`. You can either edit this file with `vi` or you can do the following steps:

1. Type in the command `cat > /etc/dropbear/authorized_keys «EOF` 2. Copy the contents of your `` or `authorized_keys` file to your clipboard. 3. Paste the contents of your clipboard into the terminal. 4. Press enter, type `EOF`, and press enter again. At this point you should be back at the root shell prompt.

Then you should make sure that the permissions are set properly on everything in `/etc/dropbear` with the following command line:

  chmod 600 /etc/dropbear/* ; chmod 700 /etc/dropbear

6. Enable dropbear

Enabling the dropbear service, so that it will start automatically after every boot, is as easy as typing in the following command:

  /etc/init.d/dropbear enable
  /etc/init.d/dropbear start

7. Reboot

At this point we should reboot so that we can verify that everything is working as expected. This can take a minute or two. Just start pinging the device until it starts responding, then wait another minute or two for dropbear to get started. To reboot, just type `reboot` into the command line and press enter.

8. Log in with ssh

After waiting a while, you should be able to ssh into your EAP-600 as `root`:

  ssh root@<WAP-IP-ADDRESS>

You should now be greeted with a root prompt. w00t!

9. Security hardening

Now that you've got SSH up and running, lets take a few moments to make sure that we lock down the security of the device.

Disable dropbear password authentication

It turns out that the EAP-600 runs a really old version of OpenWRT. Because of that, we can use the `uci` command to turn off password authentication for dropbear:

    uci set dropbear.@dropbear[0].PasswordAuth=off
    uci commit
    /etc/init.d/dropbear restart

After doing this, it is a good idea to verify that it is indeed working as expected. We can do this pretty easily by trying to log into the device using the `admin` account—which by default has the password `1234`.

To check that password authentication is indeed disabled, you simply log out of the root shell and then try to logging back into the device as the user `admin`:

  ssh -o "PubkeyAuthentication no" admin@<WAP-IP-ADDRESS>

You shouldn't even get a password prompt, it should just say `Permission denied (publickey).`. If you do get a password prompt, type in `1234` and press enter. If it successfully logs you in as the user `admin`, then something has gone horribly wrong.

This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2021/06/11 12:51
  • by mpratt