SenaoWRT Linux 2.6 - 3.0 Failsafe Platform

Senao SDK used by several vendors includes a patched U-boot bootloader that uses checksums to verify kernel and rootfs, and a failsafe image that is booted when the checksums fail, in order to upload a new image to flash.

the following information applies to these devices, and many more:

• EAP1200H
• EAP300 v2
• EAP350 v1
• EAP600
• ECB350 v1
• ECB600
• ENH202 v1
• ENS202EXT v1
• EnStationAC v1

The only guaranteed safe method to move from 19.07 or earlier or old master snapshot to 21.02

is to trigger the OEM failsafe image to boot by rewriting one of the checksums verified at boot

• Login as root via SSH, then enter the following commands:

fw_setenv rootfs_checksum 0
reboot

wait a minute

connect a computer to ethernet and set it to a static address in 192.168.1.x

navigate to 192.168.1.1/index.htm

Select the factory.bin image and upload

Standard UART pinout is available on the board.

Pinout is in the following order, with respect to the board.

1. 3.3 V (white arrow)
2. GND
3. TX
4. RX

uboot can be interrupted by hitting any key

many standard uboot commands like tftpboot and bootm and printenv are available

for some of the devices (like EAP1200H), the TX pin is shorted to ground by a resistor

uboot environment includes a custom command to load the failsafe image

run failsafe_boot

The OEM software is a heavily modified version of Openwrt Kamikaze. Senao SDK uses a script for sysupgrade located at /etc/fwupgrade.sh

Image verification is passed by the successful ungzip and untar of the supplied file and name check and header verification of the resulting contents. To form a factory.bin that is accepted by OEM Openwrt build, the kernel and rootfs must have specific names...

• openwrt-senao-eap600-uImage-lzma.bin
• openwrt-senao-eap600-root.squashfs

and begin with the respective headers (uImage, squashfs). Then the files must be tarballed and gzipped. The resulting binary is actually a tar.gz file in disguise. This can be verified by using binwalk on the OEM firmware images, ungzipping then untaring.

Highly recommended to use serial console to load TFTP images. It is not reliable and may take many attempts.

rename initramfs-kernel.bin to 'vmlinux-art-ramdisk' make available on TFTP server at 192.168.1.101 power board hold or press reset button repeatedly

NOTE: for some Engenius boards TFTP is not reliable try setting MTU to 600 and try many times

from: https://gist.github.com/darconeous/b24cdaa853a8f35162f2f8e3a3050149

First, log into the web interface on the EAP600. Then click on the “CLI Settings” link from the “Management” section of the left-hand navigation bar. Click on the radio button for “On” and then press the “Save/Apply” button. If it is already “On”, skip this step.

Telnet into the device and login with your web credentials. After you do this successfully, you will see a menu and a `eap600>` prompt:

	*** Hi admin, welcome to use cli(V-1.8.10) ***
	---========= Commands Help =========---
	      stat -- Status
	       sys -- System
	    wless2 -- 2.4G-Wireless
	    wless5 -- 5G-Wireless
	      mgmt -- Management
	      tree -- Tree
	      help -- Help
	    reboot -- Reboot
	    logout -- Logout
	eap600>

Instead of typing in any of the commands from the menu, type in the magic command `1d68d24ea0d9bb6e19949676058f1b93` and press enter. You should then be at a root shell:

	eap600>1d68d24ea0d9bb6e19949676058f1b93
	
	
	BusyBox v1.19.4 (2015-10-01 07:56:17 CST) built-in shell (ash)
	Enter 'help' for a list of built-in commands.
	
	  _______                     ________        __
	 |       |.-----.-----.-----.|  |  |  |.----.|  |_
	 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
	 |_______||   __|_____|__|__||________||__|  |____|
	          |__| W I R E L E S S   F R E E D O M
	 KAMIKAZE (bleeding edge, r20146) ------------------
	  * 10 oz Vodka       Shake well with ice and strain
	  * 10 oz Triple sec  mixture into 10 shot glasses.
	  * 10 oz lime juice  Salute!
	 ---------------------------------------------------
	root@EAP600:/# 

Before we can enable dropbear (the SSH server that is included in the EAP600 firmware), we need to generate our host keys. You can do that by copying and pasting the following lines into the root shell and pressing enter:

    [ -s /etc/dropbear/dropbear_rsa_host_key ] || \
        { rm -f /etc/dropbear/dropbear_rsa_host_key ; \
        dropbearkey -t rsa -s 2048 -f /etc/dropbear/dropbear_rsa_host_key ; } ; \
    [ -s /etc/dropbear/dropbear_dss_host_key ] || \
        { rm -f /etc/dropbear/dropbear_dss_host_key ; \
        dropbearkey -t dss -f /etc/dropbear/dropbear_dss_host_key ; }

Dropbear expects the `authorized_keys` file to be in `/etc/dropbear/authorized_keys`. You can either edit this file with `vi` or you can do the following steps:

1. Type in the command `cat > /etc/dropbear/authorized_keys <<EOF` 2. Copy the contents of your `id_rsa.pub` or `authorized_keys` file to your clipboard. 3. Paste the contents of your clipboard into the terminal. 4. Press enter, type `EOF`, and press enter again. At this point you should be back at the root shell prompt.

Then you should make sure that the permissions are set properly on everything in `/etc/dropbear` with the following command line:

  chmod 600 /etc/dropbear/* ; chmod 700 /etc/dropbear

Enabling the dropbear service, so that it will start automatically after every boot, is as easy as typing in the following command:

  /etc/init.d/dropbear enable
  /etc/init.d/dropbear start

At this point we should reboot so that we can verify that everything is working as expected. This can take a minute or two. Just start pinging the device until it starts responding, then wait another minute or two for dropbear to get started. To reboot, just type `reboot` into the command line and press enter.

After waiting a while, you should be able to ssh into your EAP-600 as `root`:

  ssh root@<WAP-IP-ADDRESS>

You should now be greeted with a root prompt. w00t!

Now that you've got SSH up and running, lets take a few moments to make sure that we lock down the security of the device.

It turns out that the EAP-600 runs a really old version of OpenWRT. Because of that, we can use the `uci` command to turn off password authentication for dropbear:

    uci set dropbear.@dropbear[0].PasswordAuth=off
    uci commit
    /etc/init.d/dropbear restart

After doing this, it is a good idea to verify that it is indeed working as expected. We can do this pretty easily by trying to log into the device using the `admin` account---which by default has the password `1234`.

To check that password authentication is indeed disabled, you simply log out of the root shell and then try to logging back into the device as the user `admin`:

  ssh -o "PubkeyAuthentication no" admin@<WAP-IP-ADDRESS>

You shouldn't even get a password prompt, it should just say `Permission denied (publickey).`. If you do get a password prompt, type in `1234` and press enter. If it successfully logs you in as the user `admin`, then something has gone horribly wrong.

Some newer, or more powerful Senao devices no longer respond to the magic hex string, but also require less effort to enable ssh

As mentioned above, log into the AP, select Management>Advanced, and enable CLI access.

Just click the Enable radio button. Don't forget to save and apply your changes.

ssh -t admin@<ap> /bin/ash

This instructs ssh to request a tty, and then unconditionally run `/bin/ash`. This bypasses the normal restricted CLI and gives you a root shell:

$ ssh -t admin@my-ap /bin/ash
...
BusyBox v1.19.4 (2020-01-13 17:58:32 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

~ # 

Gather your ssh public keys as mentioned above, or use something like

cat ~/.ssh/id*.pub

to display them on the terminal. Copy the public keys to your clipboard.

On your AP, enter the command

cat >> /etc/dropbear/authorized_keys

. This will not produce any output, but whatever you enter next will be appended to the authorized_keys file. Now paste in your public keys. Enter

^D

(control-d) to finish.

Read the steps above and decide if you want to disable password auth for ssh.