SenaoWRT Linux 2.6 - 3.0 Failsafe Platform
Senao SDK used by several vendors includes a patched U-boot bootloader that uses checksums to verify kernel and rootfs, and a failsafe image that is booted when the checksums fail, in order to upload a new image to flash.
the following information applies to these devices, and many more:
ar71xx → ath79 Migration OR return to OEM
The only guaranteed safe method to move from 19.07 or earlier or old master snapshot to 21.02
is to trigger the OEM failsafe image to boot by rewriting one of the checksums verified at boot
- Login as root via SSH, then enter the following commands:
fw_setenv rootfs_checksum 0 reboot
wait a minute
connect a computer to ethernet and set it to a static address in 192.168.1.x
navigate to 192.168.1.1/index.htm
Select the factory.bin image and upload
Serial Console
Standard UART pinout is available on the board.
Pinout is in the following order, with respect to the board.
- 3.3 V (white arrow)
- GND
- TX
- RX
uboot can be interrupted by hitting any key
many standard uboot commands like tftpboot and bootm and printenv are available
for some of the devices (like EAP1200H), the TX pin is shorted to ground by a resistor
Load Failsafe image
uboot environment includes a custom command to load the failsafe image
run failsafe_boot
Format of OEM firmware image
The OEM software is a heavily modified version of Openwrt Kamikaze. Senao SDK uses a script for sysupgrade located at /etc/fwupgrade.sh
Image verification is passed by the successful ungzip and untar of the supplied file and name check and header verification of the resulting contents. To form a factory.bin that is accepted by OEM Openwrt build, the kernel and rootfs must have specific names...
- openwrt-senao-eap600-uImage-lzma.bin
- openwrt-senao-eap600-root.squashfs
and begin with the respective headers (uImage, squashfs). Then the files must be tarballed and gzipped. The resulting binary is actually a tar.gz file in disguise. This can be verified by using binwalk on the OEM firmware images, ungzipping then untaring.
TFTP recovery
Highly recommended to use serial console to load TFTP images. It is not reliable and may take many attempts.
rename initramfs-kernel.bin to 'vmlinux-art-ramdisk' make available on TFTP server at 192.168.1.101 power board hold or press reset button repeatedly
NOTE: for some Engenius boards TFTP is not reliable try setting MTU to 600 and try many times
Enabling SSH on OEM firmware
1. Enable CLI
First, log into the web interface on the EAP600. Then click on the “CLI Settings” link from the “Management” section of the left-hand navigation bar. Click on the radio button for “On” and then press the “Save/Apply” button. If it is already “On”, skip this step.
2. Log in via telnet
Telnet into the device and login with your web credentials. After you do this successfully, you will see a menu and a `eap600>` prompt:
*** Hi admin, welcome to use cli(V-1.8.10) *** ---========= Commands Help =========--- stat -- Status sys -- System wless2 -- 2.4G-Wireless wless5 -- 5G-Wireless mgmt -- Management tree -- Tree help -- Help reboot -- Reboot logout -- Logout eap600>
3. Type in the magic command
Instead of typing in any of the commands from the menu, type in the magic command `1d68d24ea0d9bb6e19949676058f1b93` and press enter. You should then be at a root shell:
eap600>1d68d24ea0d9bb6e19949676058f1b93 BusyBox v1.19.4 (2015-10-01 07:56:17 CST) built-in shell (ash) Enter 'help' for a list of built-in commands. _______ ________ __ | |.-----.-----.-----.| | | |.----.| |_ | - || _ | -__| || | | || _|| _| |_______|| __|_____|__|__||________||__| |____| |__| W I R E L E S S F R E E D O M KAMIKAZE (bleeding edge, r20146) ------------------ * 10 oz Vodka Shake well with ice and strain * 10 oz Triple sec mixture into 10 shot glasses. * 10 oz lime juice Salute! --------------------------------------------------- root@EAP600:/#
4. Generate root keys
Before we can enable dropbear (the SSH server that is included in the EAP600 firmware), we need to generate our host keys. You can do that by copying and pasting the following lines into the root shell and pressing enter:
[ -s /etc/dropbear/dropbear_rsa_host_key ] || \ { rm -f /etc/dropbear/dropbear_rsa_host_key ; \ dropbearkey -t rsa -s 2048 -f /etc/dropbear/dropbear_rsa_host_key ; } ; \ [ -s /etc/dropbear/dropbear_dss_host_key ] || \ { rm -f /etc/dropbear/dropbear_dss_host_key ; \ dropbearkey -t dss -f /etc/dropbear/dropbear_dss_host_key ; }
5. Copy over your ssh `authorized_keys`
Dropbear expects the `authorized_keys` file to be in `/etc/dropbear/authorized_keys`. You can either edit this file with `vi` or you can do the following steps:
1. Type in the command `cat > /etc/dropbear/authorized_keys <<EOF` 2. Copy the contents of your `id_rsa.pub` or `authorized_keys` file to your clipboard. 3. Paste the contents of your clipboard into the terminal. 4. Press enter, type `EOF`, and press enter again. At this point you should be back at the root shell prompt.
Then you should make sure that the permissions are set properly on everything in `/etc/dropbear` with the following command line:
chmod 600 /etc/dropbear/* ; chmod 700 /etc/dropbear
6. Enable dropbear
Enabling the dropbear service, so that it will start automatically after every boot, is as easy as typing in the following command:
/etc/init.d/dropbear enable /etc/init.d/dropbear start
7. Reboot
At this point we should reboot so that we can verify that everything is working as expected. This can take a minute or two. Just start pinging the device until it starts responding, then wait another minute or two for dropbear to get started. To reboot, just type `reboot` into the command line and press enter.
8. Log in with ssh
After waiting a while, you should be able to ssh into your EAP-600 as `root`:
ssh root@<WAP-IP-ADDRESS>
You should now be greeted with a root prompt. w00t!
9. Security hardening
Now that you've got SSH up and running, lets take a few moments to make sure that we lock down the security of the device.
Disable dropbear password authentication
It turns out that the EAP-600 runs a really old version of OpenWRT. Because of that, we can use the `uci` command to turn off password authentication for dropbear:
uci set dropbear.@dropbear[0].PasswordAuth=off uci commit /etc/init.d/dropbear restart
After doing this, it is a good idea to verify that it is indeed working as expected. We can do this pretty easily by trying to log into the device using the `admin` account---which by default has the password `1234`.
To check that password authentication is indeed disabled, you simply log out of the root shell and then try to logging back into the device as the user `admin`:
ssh -o "PubkeyAuthentication no" admin@<WAP-IP-ADDRESS>
You shouldn't even get a password prompt, it should just say `Permission denied (publickey).`. If you do get a password prompt, type in `1234` and press enter. If it successfully logs you in as the user `admin`, then something has gone horribly wrong.
Enabling SSH on OEM firmware (with less magic)
Some newer, or more powerful Senao devices no longer respond to the magic hex string, but also require less effort to enable ssh
1. Enable CLI
As mentioned above, log into the AP, select Management>Advanced, and enable CLI access.
2. Enable SSH
Just click the Enable radio button. Don't forget to save and apply your changes.
3. SSH into the AP
ssh -t admin@<ap> /bin/ash
This instructs ssh to request a tty, and then unconditionally run `/bin/ash`. This bypasses the normal restricted CLI and gives you a root shell:
$ ssh -t admin@my-ap /bin/ash ... BusyBox v1.19.4 (2020-01-13 17:58:32 CST) built-in shell (ash) Enter 'help' for a list of built-in commands. ~ #
4. Copy in your ssh keys
Gather your ssh public keys as mentioned above, or use something like
cat ~/.ssh/id*.pub
to display them on the terminal. Copy the public keys to your clipboard.
On your AP, enter the command
cat >> /etc/dropbear/authorized_keys
. This will not produce any output, but whatever you enter next will be appended to the authorized_keys file. Now paste in your public keys. Enter
^D
(control-d) to finish.
5. Secure your installation
Read the steps above and decide if you want to disable password auth for ssh.