Feature request: SSH access

[Saturn49]

Would help for debugging other issues

[Saturn49]

Turns out the stock firmware opens up port 8139 for SSH already, but I can't figure out the username and password. Sleuthing through the source shows that it should be cristal/[GUI password] or cristal/admin

Dropbear authentication was modified: https://github.com/Saturn49/wecb/blob/master/rtl819x/users/dropbear/dropbear-0.52/common-session.c line 467 with a hard-coded username and looks like it tries to lookup the admin (user 3)? password.

https://github.com/Saturn49/wecb/blob/master/rtl819x/users/ctl/files/target/wecb/etc/cfg.xml line 2381-2382

JDEkU2pBL3daeGEkRW9oRnEydjlzcjh6Z1FjT2RpblNaMQ== decodes to $1$SjA/wZxa$EohFq2v9sr8zgQcOdinSZ1 which is an MD5 hash for "admin" (per John the Ripper)

However, I couldn't get either to work, nor could I get it to open up the normal ssh or telnet port by uncommenting them from the startup script here: https://github.com/Saturn49/wecb/blob/master/rtl819x/customers/CUSTOMER/WCB3000/filesystem/etc/init.d/rcS line 125 and 129

Not sure where to go from here.

[Saturn49]

While I wasn't able to get in via dropbear, I did find this gem in boa (the web server): https://github.com/Saturn49/wecb/blob/master/rtl819x/users/boa/src/get.c#L401

So if you navigate a web browser to http://your-host/telnetd_start, you'll be redirected to the login page, but now you can telnet to it. Use root/admin to login.

[jhujhujhujhu]

Have you been able to find a solution to getting dropbear/ssh working? I've been perusing code and having a hard time with this. Is it boa that's the issue? data_center? dropbear itself? I'm rather inclined to compile unmodified dropbear and see what happens.

[Saturn49]

No, I was never able to figure out why the credentials I found didn't work. I was able to get into it with telnetd just fine though.

[jhujhujhujhu]

I tried compiling an unmodified dropbear, but it wouldn't run. When I compiled and ran it, I got an error (something about syntax error, expecting ')' ).

[jhujhujhujhu]

I was able to compile a pristine dropbear using the mips tools. I've tried multiple versions, the latest being 2019.78. The problem I had with the prior attempt was that it was compiling for x86... Well, I've copied the new one over, and it still doesn't allow logging in. I can't even ssh locally on the device.

Host 'localhost' is not in the trusted hosts file. (fingerprint md5 da:b3:ed:7b:92:8c:63:45:1b:98:95:bb:95:3a:3b:53) Do you want to continue connecting? (y/n) y root@localhost's password: root@localhost's password: root@localhost's password: root@localhost's password:

It's weird. I'll keep investigating.

[jhujhujhujhu]

Success!!! I completely replaced dropbear-0.52 with dropbear-2020.80. I only had to edit the Makefile in the dropbear directory to reference dropbear-2020.80 rather than dropbear-0.52. Here's the difference in patch format:

--- Makefile.backup 2020-09-02 19:41:49.876776622 -0700 +++ Makefile 2020-09-02 22:52:07.669006740 -0700 @@ -28,7 +28,7 @@ INSTALL_ROOT = $(DIR_ROMFS) INSTALL_ROOT ?= $(shell pwd)/install

-SRC_DIR = dropbear-0.52 +SRC_DIR = dropbear-2020.80 CONFIGURE_ARGS = --host=mips-linux \ --with-shared \ --disable-pam \ @@ -50,7 +50,7 @@ @echo DOING UPDATE @echo UPDATING tags file make -C $(SRC_DIR) PROGRAMS="dropbear dbclient dropbearkey dropbearconvert scp" MULTI=1 SCPPROGRESS=1 - make -C $(SRC_DIR) PROGRAMS="dropbearconvert" + #make -C $(SRC_DIR) PROGRAMS="dropbearconvert"

romfs: # Install for dropbear @@ -61,6 +61,7 @@ ln -sf /usr/sbin/dropbear $(DIR_ROMFS)/usr/bin/ssh ln -sf /usr/sbin/dropbear $(DIR_ROMFS)/usr/bin/dbclient ln -sf /usr/sbin/dropbear $(DIR_ROMFS)/usr/bin/dropbearkey + ln -sf /usr/sbin/dropbear $(DIR_ROMFS)/usr/bin/dropbearconvert mkdir -p $(DIR_ROMFS)/etc/config $(ROMFSINST) ./files/dropbear.config /etc/config/dropbear mkdir -p $(DIR_ROMFS)/etc/init.d @@ -71,7 +72,7 @@ touch $(DIR_ROMFS)/etc/dropbear/dropbear_dss_host_key # Install for dropbearconvert mkdir -p $(DIR_ROMFS)/usr/bin - $(ROMFSINST) $(SRC_DIR)/dropbearconvert /usr/bin/dropbearconvert + #$(ROMFSINST) $(SRC_DIR)/dropbearconvert /usr/bin/dropbearconvert cp dropbear_wecb_rsa $(DIR_ROMFS)/etc/dropbear/ -a

firsttime: clean

[lukavia]

The way to get the ssh password is to execute in a terminal: echo -n "admin" | md5sum | tr a-z A-Z | cut -c -6 Replace "admin" with your password in case you have changed it via the web interface. Then you can login with the resulted 6 chars as password with: ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 cristal@[your device ip] -p 8139