Show pagesourceOld revisionsBacklinksBack to top × Table of Contents SenaoWRT Linux 2.6 - 3.0 Failsafe Platform ar71xx → ath79 Migration OR return to OEM Serial Console Load Failsafe image Format of OEM firmware image TFTP recovery Enabling SSH on OEM firmware Enabling SSH on OEM firmware (with less magic) SenaoWRT Linux 2.6 - 3.0 Failsafe Platform Senao SDK used by several vendors includes a patched U-boot bootloader that uses checksums to verify kernel and rootfs, and a failsafe image that is booted when the checksums fail, in order to upload a new image to flash. the following information applies to these devices, and many more: EAP1200H EAP300 v2 EAP350 v1 EAP600 ECB350 v1 ECB600 ENH202 v1 ENS202EXT v1 EnStationAC v1 ar71xx → ath79 Migration OR return to OEM The only guaranteed safe method to move from 19.07 or earlier or old master snapshot to 21.02 is to trigger the OEM failsafe image to boot by rewriting one of the checksums verified at boot Login as root via SSH, then enter the following commands: fw_setenv rootfs_checksum 0 reboot wait a minute connect a computer to ethernet and set it to a static address in 192.168.1.x navigate to 192.168.1.1/index.htm Select the factory.bin image and upload Serial Console Standard UART pinout is available on the board. Pinout is in the following order, with respect to the board. 3.3 V (white arrow) GND TX RX uboot can be interrupted by hitting any key many standard uboot commands like tftpboot and bootm and printenv are available for some of the devices (like EAP1200H), the TX pin is shorted to ground by a resistor Load Failsafe image uboot environment includes a custom command to load the failsafe image run failsafe_boot Format of OEM firmware image The OEM software is a heavily modified version of Openwrt Kamikaze. Senao SDK uses a script for sysupgrade located at /etc/fwupgrade.sh Image verification is passed by the successful ungzip and untar of the supplied file and name check and header verification of the resulting contents. To form a factory.bin that is accepted by OEM Openwrt build, the kernel and rootfs must have specific names... openwrt-senao-eap600-uImage-lzma.bin openwrt-senao-eap600-root.squashfs and begin with the respective headers (uImage, squashfs). Then the files must be tarballed and gzipped. The resulting binary is actually a tar.gz file in disguise. This can be verified by using binwalk on the OEM firmware images, ungzipping then untaring. TFTP recovery Highly recommended to use serial console to load TFTP images. It is not reliable and may take many attempts. rename initramfs-kernel.bin to 'vmlinux-art-ramdisk' make available on TFTP server at 192.168.1.101 power board hold or press reset button repeatedly NOTE: for some Engenius boards TFTP is not reliable try setting MTU to 600 and try many times Enabling SSH on OEM firmware from: https://gist.github.com/darconeous/b24cdaa853a8f35162f2f8e3a3050149 1. Enable CLI First, log into the web interface on the EAP600. Then click on the “CLI Settings” link from the “Management” section of the left-hand navigation bar. Click on the radio button for “On” and then press the “Save/Apply” button. If it is already “On”, skip this step. 2. Log in via telnet Telnet into the device and login with your web credentials. After you do this successfully, you will see a menu and a `eap600>` prompt: *** Hi admin, welcome to use cli(V-1.8.10) *** ---========= Commands Help =========--- stat -- Status sys -- System wless2 -- 2.4G-Wireless wless5 -- 5G-Wireless mgmt -- Management tree -- Tree help -- Help reboot -- Reboot logout -- Logout eap600> 3. Type in the magic command Instead of typing in any of the commands from the menu, type in the magic command `1d68d24ea0d9bb6e19949676058f1b93` and press enter. You should then be at a root shell: eap600>1d68d24ea0d9bb6e19949676058f1b93 BusyBox v1.19.4 (2015-10-01 07:56:17 CST) built-in shell (ash) Enter 'help' for a list of built-in commands. _______ ________ __ | |.-----.-----.-----.| | | |.----.| |_ | - || _ | -__| || | | || _|| _| |_______|| __|_____|__|__||________||__| |____| |__| W I R E L E S S F R E E D O M KAMIKAZE (bleeding edge, r20146) ------------------ * 10 oz Vodka Shake well with ice and strain * 10 oz Triple sec mixture into 10 shot glasses. * 10 oz lime juice Salute! --------------------------------------------------- root@EAP600:/# 4. Generate root keys Before we can enable dropbear (the SSH server that is included in the EAP600 firmware), we need to generate our host keys. You can do that by copying and pasting the following lines into the root shell and pressing enter: [ -s /etc/dropbear/dropbear_rsa_host_key ] || \ { rm -f /etc/dropbear/dropbear_rsa_host_key ; \ dropbearkey -t rsa -s 2048 -f /etc/dropbear/dropbear_rsa_host_key ; } ; \ [ -s /etc/dropbear/dropbear_dss_host_key ] || \ { rm -f /etc/dropbear/dropbear_dss_host_key ; \ dropbearkey -t dss -f /etc/dropbear/dropbear_dss_host_key ; } 5. Copy over your ssh `authorized_keys` Dropbear expects the `authorized_keys` file to be in `/etc/dropbear/authorized_keys`. You can either edit this file with `vi` or you can do the following steps: 1. Type in the command `cat > /etc/dropbear/authorized_keys <<EOF` 2. Copy the contents of your `id_rsa.pub` or `authorized_keys` file to your clipboard. 3. Paste the contents of your clipboard into the terminal. 4. Press enter, type `EOF`, and press enter again. At this point you should be back at the root shell prompt. Then you should make sure that the permissions are set properly on everything in `/etc/dropbear` with the following command line: chmod 600 /etc/dropbear/* ; chmod 700 /etc/dropbear 6. Enable dropbear Enabling the dropbear service, so that it will start automatically after every boot, is as easy as typing in the following command: /etc/init.d/dropbear enable /etc/init.d/dropbear start 7. Reboot At this point we should reboot so that we can verify that everything is working as expected. This can take a minute or two. Just start pinging the device until it starts responding, then wait another minute or two for dropbear to get started. To reboot, just type `reboot` into the command line and press enter. 8. Log in with ssh After waiting a while, you should be able to ssh into your EAP-600 as `root`: ssh root@<WAP-IP-ADDRESS> You should now be greeted with a root prompt. w00t! 9. Security hardening Now that you've got SSH up and running, lets take a few moments to make sure that we lock down the security of the device. Disable dropbear password authentication It turns out that the EAP-600 runs a really old version of OpenWRT. Because of that, we can use the `uci` command to turn off password authentication for dropbear: uci set dropbear.@dropbear[0].PasswordAuth=off uci commit /etc/init.d/dropbear restart After doing this, it is a good idea to verify that it is indeed working as expected. We can do this pretty easily by trying to log into the device using the `admin` account---which by default has the password `1234`. To check that password authentication is indeed disabled, you simply log out of the root shell and then try to logging back into the device as the user `admin`: ssh -o "PubkeyAuthentication no" admin@<WAP-IP-ADDRESS> You shouldn't even get a password prompt, it should just say `Permission denied (publickey).`. If you do get a password prompt, type in `1234` and press enter. If it successfully logs you in as the user `admin`, then something has gone horribly wrong. Enabling SSH on OEM firmware (with less magic) Some newer, or more powerful Senao devices no longer respond to the magic hex string, but also require less effort to enable ssh 1. Enable CLI As mentioned above, log into the AP, select Management>Advanced, and enable CLI access. 2. Enable SSH Just click the Enable radio button. Don't forget to save and apply your changes. 3. SSH into the AP ssh -t admin@<ap> /bin/ash This instructs ssh to request a tty, and then unconditionally run `/bin/ash`. This bypasses the normal restricted CLI and gives you a root shell: $ ssh -t admin@my-ap /bin/ash ... BusyBox v1.19.4 (2020-01-13 17:58:32 CST) built-in shell (ash) Enter 'help' for a list of built-in commands. ~ # 4. Copy in your ssh keys Gather your ssh public keys as mentioned above, or use something like cat ~/.ssh/id*.pub to display them on the terminal. Copy the public keys to your clipboard. On your AP, enter the command cat >> /etc/dropbear/authorized_keys . This will not produce any output, but whatever you enter next will be appended to the authorized_keys file. Now paste in your public keys. Enter ^D (control-d) to finish. 5. Secure your installation Read the steps above and decide if you want to disable password auth for ssh. This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.OKMore information about cookies Last modified: 2021/11/26 18:24by ckuethe