Enabling SSH on Engenius EAP600

engenius-eap600-enable-ssh.md

Enabling SSH on Engenius EAP600 (and maybe other models)

This tutorial will walk you through the steps needed to get root SSH access on an Engenius EAP600 dual-band WiFi access point. SSH doesn't come enabled out of the box on these things, so if you want to SSH into the device (which is running an old version of OpenWRT), keep reading.

NOTE: These instructions (or portions thereof) have been reported to work on other Engenius models, such as the EAP1200H, EAP1750H, ENS200, ENS202EXT, as well as some Senao wireless gear. This doesn't suprise me, but nonetheless I don't personally have the hardware to confirm.

This document assumes the following:

• You are familiar with SSH publickey authentication (authorized_keys, etc.)
• You are familiar with the unix command line.
• You have the admin credentials for the EAP600 in question.
• You have firmware version 1.6.37 installed on the EAP600. This procedure may work on earlier or later versions, but you may run into trouble.

1. Enable CLI

First, log into the web interface on the EAP600. Then click on the "CLI Settings" link from the "Management" section of the left-hand navigation bar. Click on the radio button for "On" and then press the "Save/Apply" button. If it is already "On", skip this step.

2. Log in via telnet

Telnet into the device and login with your web credentials. After you do this successfully, you will see a menu and a eap600> prompt:

*** Hi admin, welcome to use cli(V-1.8.10) ***
---========= Commands Help =========---
      stat -- Status
       sys -- System
    wless2 -- 2.4G-Wireless
    wless5 -- 5G-Wireless
      mgmt -- Management
      tree -- Tree
      help -- Help
    reboot -- Reboot
    logout -- Logout
eap600>

3. Type in the magic command

Instead of typing in any of the commands from the menu, type in the magic command 1d68d24ea0d9bb6e19949676058f1b93 and press enter. You should then be at a root shell:

eap600>1d68d24ea0d9bb6e19949676058f1b93


BusyBox v1.19.4 (2015-10-01 07:56:17 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 KAMIKAZE (bleeding edge, r20146) ------------------
  * 10 oz Vodka       Shake well with ice and strain
  * 10 oz Triple sec  mixture into 10 shot glasses.
  * 10 oz lime juice  Salute!
 ---------------------------------------------------
root@EAP600:/# 

4. Generate root keys

Before we can enable dropbear (the SSH server that is included in the EAP600 firmware), we need to generate our host keys. You can do that by copying and pasting the following lines into the root shell and pressing enter:

[ -s /etc/dropbear/dropbear_rsa_host_key ] || \
    { rm -f /etc/dropbear/dropbear_rsa_host_key ; \
    dropbearkey -t rsa -s 2048 -f /etc/dropbear/dropbear_rsa_host_key ; } ; \
[ -s /etc/dropbear/dropbear_dss_host_key ] || \
    { rm -f /etc/dropbear/dropbear_dss_host_key ; \
    dropbearkey -t dss -f /etc/dropbear/dropbear_dss_host_key ; }

5. Copy over your ssh authorized_keys

Dropbear expects the authorized_keys file to be in /etc/dropbear/authorized_keys. You can either edit this file with vi or you can do the following steps:

1. Type in the command cat > /etc/dropbear/authorized_keys <<EOF
2. Copy the contents of your id_rsa.pub or authorized_keys file to your clipboard.
3. Paste the contents of your clipboard into the terminal.
4. Press enter, type EOF, and press enter again. At this point you should be back at the root shell prompt.

Then you should make sure that the permissions are set properly on everything in /etc/dropbear with the following command line:

chmod 600 /etc/dropbear/* ; chmod 700 /etc/dropbear

6. Enable dropbear

Enabling the dropbear service, so that it will start automatically after every boot, is as easy as typing in the following command:

/etc/init.d/dropbear enable
/etc/init.d/dropbear start

7. Reboot

At this point we should reboot so that we can verify that everything is working as expected. This can take a minute or two. Just start pinging the device until it starts responding, then wait another minute or two for dropbear to get started. To reboot, just type reboot into the command line and press enter.

8. Log in with ssh

After waiting a while, you should be able to ssh into your EAP-600 as root:

ssh root@<WAP-IP-ADDRESS>

You should now be greeted with a root prompt. w00t!

9. Security hardening

Now that you've got SSH up and running, lets take a few moments to make sure that we lock down the security of the device.

Disable dropbear password authentication

It turns out that the EAP-600 runs a really old version of OpenWRT. Because of that, we can use the uci command to turn off password authentication for dropbear:

uci set dropbear.@dropbear[0].PasswordAuth=off
uci commit
/etc/init.d/dropbear restart

After doing this, it is a good idea to verify that it is indeed working as expected. We can do this pretty easily by trying to log into the device using the admin account---which by default has the password 1234.

To check that password authentication is indeed disabled, you simply log out of the root shell and then try to logging back into the device as the user admin:

ssh -o "PubkeyAuthentication no" admin@<WAP-IP-ADDRESS>

You shouldn't even get a password prompt, it should just say Permission denied (publickey).. If you do get a password prompt, type in 1234 and press enter. If it successfully logs you in as the user admin, then something has gone horribly wrong.

Disable IPv6 (!?!)

The SSID-VLAN isolation feature of the EAP-600 has a really bad bug: it doesn't turn off IPv6 (or even SLAAC!) on the individual bridge interfaces. This makes it impossible to prevent users from gaining access to the management web interface using the IPv6 link-local address of the access point.

The easiest, safest, and least fragile way to fix this quickly is simply to disable IPv6 entirely. This kinda sucks, but in practice it is not really that big of a deal---IPv6 still works for hosts, you just have to use IPv4 to access the configuration page or to SSH into the access point if you need to reconfigure it.

To disable IPv6, we once again use the uci command, followed by a reboot:

uci set system.system.ipv6=0
uci commit
reboot

Wait for the AP to come back online and then proceed below to disabling telnet.

Disable telnet

Now that we've got our dropbear daemon set up and tested, we can turn off telnet since we won't be needing it anymore.

/etc/init.d/telnet stop
/etc/init.d/telnet disable

Disable dnsmasq

For some reason, the software on the EAP-600 always runs dnsmasq. This is entirely inappropriate for a wireless access point, which should be just a bridge. You can easily disable it by typing in the following commands:

/etc/init.d/dnsmasq stop
/etc/init.d/dnsmasq disable

z_EAP600-1200x792-74-1414194680.png

@darconeous note: That magic command is actually the md5sum of the string 'SenaoWRT' and is shared with at least two more EnGenius devices, the ENS200 and ENS202EXT.

Magic MD5sum works on EAP1750H tested today on firmware '2.0.361' ; It would seem to be pretty standard on all senao/engenius wifi gear due to the wide range of devices working with it.

Excellent guide! One thing you might mention is that to enter the "cli" environment from the root shell, run /bin/login.sh. Then login with your existing web credentials.

Also, I confirmed that 1d68d24ea0d9bb6e19949676058f1b93 works for the EAP1200H as well

I applied the procedure on my EnGenius EAP1200H to have the SSH connection for file transferring and it works totally fine.
In my opinion, you could change the post title to a more general one.
Thanks for the post.

I just upgraded my EAP600 APs to the latest firmware (v 1.6.50) to patch the recent WPA2 vulnerability. The update must've reset the system services, so I had to re-enable dropbear and start it.

/etc/init.d/dropbear enable
/etc/init.d/dropbear start

Confirmed on Araknis Networks AN-700-AP-I-AC.
This magic trick comes from the device's /bin/login.sh:

console()
{
        mkdir -p "$download"
        trap "killall eval.sh 2>&- >&2; echo" 2

        if [ "$1" = "1d68d24ea0d9bb6e19949676058f1b93" ]; then
                exec /bin/ash --login

I actually found this independently from the squashfs firmware that was gzipped in the AN-700-AP-I-AC from Araknis Networks (owned by SnapAV.) I looked for the root password and looked for the login script loaded. This was it:

cat etc/passwd
araknis:$1$ERQwQ8JT$8zgaaDVpooNvHgFUvAdhw/:1:1:root:/root:/bin/login_ssh.sh
root:!:0:0:root:/root:/bin/ash
nobody:*:65534:65534:nobody:/var:/bin/false
daemon:*:65534:65534:daemon:/var:/bin/false
sshd:*:27:27:sshd_privsep:/var/empty:/sbin/nologin

login_ssh is just this simple code:

#!/bin/sh
# Copyright (C) 2006 OpenWrt.org

/bin/login.sh "openssh"

Amazing that there is this backdoor. Now I have full control! I came across this by googling that backdoor hash. This should work on all other SnapAV AP's as well. Amazing!

In case anyone's wondering, this magical device has the following banner:

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 KAMIKAZE (bleeding edge, unknown) ------------------
  * 10 oz Vodka       Shake well with ice and strain
  * 10 oz Triple sec  mixture into 10 shot glasses.
  * 10 oz lime juice  Salute!

It amazes me that so many modern access points are running a version of OpenWRT from ten years ago.

do you have dump files for this router? I need failsafe partition to recover my bricked eap600. thank you

Just confirming that the "Magic Command" also works w/ EnGenius EAP-300 & EAP-300v2 (Firmware Version 1.7.3).

Can confirm magic command also works on the Engenius ENS1750 / AC1750 (firmware 2.0.201).

OHAI, this guide was cited in a security white paper.

On an EnStation5AC, firmware v3.0.2_c1.8.53, the magic command drops into an unidentified prompt (the prompt is simply >). No commands are recognized other than exit and quit, which both terminate the telnet session. The header says cli(V-1.9.11).

Confirmed on Araknis Networks AN-700-AP-I-AC.
This magic trick comes from the device's /bin/login.sh:

console()
{
        mkdir -p "$download"
        trap "killall eval.sh 2>&- >&2; echo" 2

        if [ "$1" = "1d68d24ea0d9bb6e19949676058f1b93" ]; then
                exec /bin/ash --login

I actually found this independently from the squashfs firmware that was gzipped in the AN-700-AP-I-AC from Araknis Networks (owned by SnapAV.) I looked for the root password and looked for the login script loaded. This was it:

cat etc/passwd
araknis:$1$ERQwQ8JT$8zgaaDVpooNvHgFUvAdhw/:1:1:root:/root:/bin/login_ssh.sh
root:!:0:0:root:/root:/bin/ash
nobody:*:65534:65534:nobody:/var:/bin/false
daemon:*:65534:65534:daemon:/var:/bin/false
sshd:*:27:27:sshd_privsep:/var/empty:/sbin/nologin

login_ssh is just this simple code:

#!/bin/sh
# Copyright (C) 2006 OpenWrt.org

/bin/login.sh "openssh"

Amazing that there is this backdoor. Now I have full control! I came across this by googling that backdoor hash. This should work on all other SnapAV AP's as well. Amazing!

In case anyone's wondering, this magical device has the following banner:

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 KAMIKAZE (bleeding edge, unknown) ------------------
  * 10 oz Vodka       Shake well with ice and strain
  * 10 oz Triple sec  mixture into 10 shot glasses.
  * 10 oz lime juice  Salute!

Hi, can you let me know what sort of things you can do once you have got in the backdoor of an Araknis AP? I am specifically looking to be able to only turn on Fast Roaming for specific SSID's, would this be possible?

Can confirm this also works on the ENH500v2.

On an EnStation5AC, firmware v3.0.2_c1.8.53, the magic command drops into an unidentified prompt (the prompt is simply >). No commands are recognized other than exit and quit, which both terminate the telnet session. The header says cli(V-1.9.11).

Update: typing ? at the unidentified prompt gives this:

CLI Commands:
        arp                  Display ARP information
        config-backup        Backup config and get download URL
        config-backup-upload Backup config and upload to the remote FTP/TFTP server
        config-restore       Download config from URL and restore it
        exit                 Exit
        factory-default      Restore default config and reboot
        fwupgrade            Download firmware image from URL and upgrade it
        fwversion            Display firmware version
        help                 Help
        logfile              Save log to a file and get download URL
        logfile-upload       Save log to a file and upload to the remote FTP/TFTP server
        meminfo              Display device memory usage
        reboot               Reboot device
        rx_packets           Show WLAN received frame count
        tx_errors            Show WLAN transmitted error count
        tx_packets           Show WLAN transmitted frame count
        brctl
        date
        ifconfig
        iwconfig
        iwlist
        iwpriv
        logread
        ping
        telnet
        traceroute
        uci
        uptime
        vconfig
        wlanconfig

Lots of good stuff, but to achieve a root shell, type login at the unidentified prompt.

On an EnStation5AC, firmware v3.0.2_c1.8.53, the magic command drops into an unidentified prompt (the prompt is simply >). No commands are recognized other than exit and quit, which both terminate the telnet session. The header says cli(V-1.9.11).

Update: typing ? at the unidentified prompt gives this:

CLI Commands:
        arp                  Display ARP information
        config-backup        Backup config and get download URL
        config-backup-upload Backup config and upload to the remote FTP/TFTP server
        config-restore       Download config from URL and restore it
        exit                 Exit
        factory-default      Restore default config and reboot
        fwupgrade            Download firmware image from URL and upgrade it
        fwversion            Display firmware version
        help                 Help
        logfile              Save log to a file and get download URL
        logfile-upload       Save log to a file and upload to the remote FTP/TFTP server
        meminfo              Display device memory usage
        reboot               Reboot device
        rx_packets           Show WLAN received frame count
        tx_errors            Show WLAN transmitted error count
        tx_packets           Show WLAN transmitted frame count
        brctl
        date
        ifconfig
        iwconfig
        iwlist
        iwpriv
        logread
        ping
        telnet
        traceroute
        uci
        uptime
        vconfig
        wlanconfig

Lots of good stuff, but to achieve a root shell, type login at the unidentified prompt.

Thank you. I can confirm it also works with the EWS357AP acces point

BusyBox v1.25.1 (2019-04-26 10:53:19 CST) built-in shell (ash)

  @@@@@@                                    @@           @@@@@@@@@ `@@@@+@@@
  @@@;@@@                                   @@            @@,,,,@@  @@@  @@@
 @@@   @@  @##@@ @@     @@@@     @@+ `@@    @@            @@    @@   +@@`@:
 @@@      @@@@@@@@@@  #@@@@@@   @@@@@@@@@ @@@@@@@#        @@  @.      @@@@
 `@@@@@'   @@  @@ @@   +   @@     @@@  @` @@@@@@@         @@@@@.       @@
  `@@@@@@  @@  @# @@    @@@@@`    @@        @@            @@  @.      #@@@
 ,`   @@@  @@  @# @@  @@@@@@@`    @@        @@            @@  # @@    @@@@#
 @@    @@  @@  @# @@  @@   #@`    @@        @@            @@    @@   @@  @@
 @@@  `@@ .@@@ @@ @@@ @@  ,@@@  #@@@@@#     @@@@@@@      @@@@@@@@@ .@@@'#@@@@
 @@@@@@@# @@@@ @@ @@@ @@@@@@@@` @@@@@@@     #@@@@@       ;@@@@@@@@  @@@  @@@,

 -----------------------------------------------------------------------------
   For those about to rock... (EWS357AP-3.5.7, 6325775)
 -----------------------------------------------------------------------------
3.5.9.6 build-190426 (6325775)
************************************************************************
Firmware Version : 3.5.9.6              Build Date : 2019-04-26 11:28
************************************************************************

root@EWS357AP:/#

Really great, thanks!

For completeness, I want to confirm this also works for EWS350.
Also here, the magic number doesn't seem to do anything, but allows the '?' and the login to root, and

BusyBox v1.19.4 (2018-08-29 17:16:46 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

---

| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -| || | | || || |
|_____|| |||||___||| |____|
|| W I R E L E S S F R E E D O M

ATTITUDE ADJUSTMENT (EWS360AP-4, a0b2517)

• 1/4 oz Vodka Pour all ingredients into mixing
• 1/4 oz Gin tin with ice, strain into glass.
• 1/4 oz Amaretto
• 1/4 oz Triple sec
• 1/4 oz Peach schnapps
• 1/4 oz Sour mix
• 1 splash Cranberry juice

---

3.5.0.11 build-180829 (a0b2517)

---

Firmware Version : 3.5.0.11 Build Date : 2018-08-29 17:52 +0800

---

I should add a remark, for completeness. Here it failed over and over. I checked everything.
-> You need to logon as root@.... . I had made the mistake of logging in as the administrative user defined in the GUI.

It works too on EWS357APv3 firmware 3.8.4.4

Thanks !! :-p

Seems pretty widespread!
ECB1750 works similar:
login
magical number
login [NOT the /bin/login.sh as further up]

---

| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -| || | | || || |
|_____|| |||||___||| |____|
|| W I R E L E S S F R E E D O M

ATTITUDE ADJUSTMENT (ECB1750_1200_v4_REPEATER, 4841772)

• 1/4 oz Vodka Pour all ingredients into mixing
• 1/4 oz Gin tin with ice, strain into glass.
• 1/4 oz Amaretto
• 1/4 oz Triple sec
• 1/4 oz Peach schnapps
• 1/4 oz Sour mix
• 1 splash Cranberry juice

---

3.0.0

---

Firmware Version : 3.0.0.4 Build Date : 2017-11-01

---

We surely could collect a whole set of recipes through EnGenius. ;-)

Hi all,

Now that Openwrt 21.02 is having the first official stable release, I wanted to announce the support for several Engenius devices here (and other Senao devices that use the same flash layout and upgrade platform). All of these are on the newer kernel target "ath79" not the old "ar71xx". If anyone has EasyWRT or Openwrt installed on their boards currently there are migration instructions here. Note that there are a few models it does not apply to, like ECB1200 / ECB1750

https://openwrt.org/toh/senao/failsafe

Supported on old "ar71xx" target:

• ENS202EXT v1
• EAP300 v2
• ALLNET ALL-WAP02860AC

Newly supported since 19.07:

• ENS202EXT v1
• ENH202 v1 (small flash space issue)
• EAP300 v2
• ESR600H (ramips target)
• ECB1200
• ECB1750
• ECB350 v1 (small flash space issue)
• EnStationAC v1
• ECB600
• EAP600
• EAP350 v1 (small flash space issue)
• EAP1200H
• ALLNET ALL-WAP02860AC

TODO: (in my possession / working with someone else)

• Watchguard AP100, AP200, AP300
• Araknis AN100, AN300, AN500, AN700
• Fortinet FAP-221-B
• EPG600 (no VoIP possible unless someone else works on it)
• ENS200
• ENS500
• ENS1200 (EWS660AP)
• EWS300AP
• EWS310AP
• EWS330AP
• EWS360AP
• EAP1750H
• ECB350 v2
• EAP350 v2
• ESR300
• ESR350
• ESR900
• ESR1200
• ESR1750
• ESR750H
• ECW120

If anyone has a model not listed here, feel free to reach out to me and we can work together to get it supported. However, I have limited time for a while and I will NOT be working with Wifi 6 devices (802.11ax).

I have two Engenius EWS660AP here.
I would very much like to help to add support for it.

Probably gets boring. Nevertheless: works perfectly also on ENH202v1:

BusyBox v1.19.4 (2015-02-02 14:46:25 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

---

| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -| || | | || || |
|_____|| |||||___||| |____|
|| W I R E L E S S F R E E D O M
KAMIKAZE (bleeding edge, r20146) ------------------

• 10 oz Vodka Shake well with ice and strain
• 10 oz Triple sec mixture into 10 shot glasses.
• 10 oz lime juice Salute!

Alas, no new recipe at all :-(

Works on the EnStation5-AC v2 running 3.7.22.1.

Side note, @mpratt14 any idea if the OpenWRT build for the v1 EnStation is compatible with the EnStation5-AC v2?

BusyBox v1.25.1 (2021-09-09 16:49:26 CST) built-in shell (ash)

  @@@@@@                                    @@           @@@@@@@@@ `@@@@+@@@
  @@@;@@@                                   @@            @@,,,,@@  @@@  @@@
 @@@   @@  @##@@ @@     @@@@     @@+ `@@    @@            @@    @@   +@@`@:
 @@@      @@@@@@@@@@  #@@@@@@   @@@@@@@@@ @@@@@@@#        @@  @.      @@@@
 `@@@@@'   @@  @@ @@   +   @@     @@@  @` @@@@@@@         @@@@@.       @@
  `@@@@@@  @@  @# @@    @@@@@`    @@        @@            @@  @.      #@@@
 ,`   @@@  @@  @# @@  @@@@@@@`    @@        @@            @@  # @@    @@@@#
 @@    @@  @@  @# @@  @@   #@`    @@        @@            @@    @@   @@  @@
 @@@  `@@ .@@@ @@ @@@ @@  ,@@@  #@@@@@#     @@@@@@@      @@@@@@@@@ .@@@'#@@@@
 @@@@@@@# @@@@ @@ @@@ @@@@@@@@` @@@@@@@     #@@@@@       ;@@@@@@@@  @@@  @@@,

 -----------------------------------------------------------------------------
   For those about to rock... (RD_WP7_3.7, e77f809)
 -----------------------------------------------------------------------------
3.7.22.1 build-210909 (e77f809)
************************************************************************
Firmware Version : 3.7.22.1             Build Date : 2021-09-09 17:10
************************************************************************

root@EnStation5-AC:/tmp#

@cjshearer that image is not compatible, but its hardware is supported, so just a matter of time

they are slightly different hardware qca955x vs qca9563

Works on EWS330AP

Alas, no success on EAP1750H

EAP1750H is currently supported in openwrt master (snapshot images) and will be available in the next stable release

if you really really want to access the shell you can do so with UART. there may be a resistor shorting RX to ground. (see commit message for adding that model)

Sorry, didn't read the one up there:

On an EnStation5AC, firmware v3.0.2_c1.8.53, the magic command drops into an unidentified prompt (the prompt is simply >). No commands are recognized other than exit and quit, which both terminate the telnet session.
Lots of good stuff, but to achieve a root shell, type login at the unidentified prompt.

This one also works for EAP1750H.

Very disappointing: No new recipes. Boring chaps over there.