Question: How to enable SSH on AX2 ?

[lowlevl]

Hi @x56, you made a wonderful work, I was able to control my AX2 led with your software, but how to enable sshd ? I red that AirPort were on NetBSD and with an unconfigured ssh client, and furthermore, I red that your software could help to gain a root shell on my AX2, so I'm asking for your help ^^

[samuelthomas2774]

Hi @Nurrl,

To enable SSH on an AirPort base station you just need to set the dbug property to 0x3000, like this:

python -m acp -t {ipv4-address} -p {password} --setprop dbug 0x3000
python -m acp -t {ipv4-address} -p {password} --reboot

Then connect to the device with the username root and whatever password you use to manage the device.

As far as I know all AirPort base stations run NetBSD, but I only have two different models to test. The AirPort Extreme 802.11ac (version 7.7.8) runs NetBSD version 6.0, and the AirPort Express 802.11n (2nd Generation, version 7.6.8) runs NetBSD version 4.0. I am able to connect to them using SSH to set static routes and can also manipulate the PF ruleset to do what I want. I am unable to get native IPv6 over PPPoE working though. It isn't a full install of NetBSD though and is missing some utilities. The filesystem is also reset at boot. If you want to save anything you need to save it in /mnt/Flash.

I've uploaded the scripts I use and other information about AirPort base stations here: https://github.com/samuelthomas2774/airport.

[lowlevl]

Hi @samuelthomas2774, I very enthousiastic about the work made here, and I'm ready to continue the project and documenting it, to release a Jailbreak on AirPorts. But before I need some informations:

• Can we unpack the Apple's package file to modify it before sending it to the AirPort ?
• Can Apple make package signing to ensure that the AirPort won't be able to be rooted or Jailbreaked in the future ?
• Can an AirPort be permanently bricked if we do some shit inside the gzip ?
• Do you need my help to make this project better and implement a stable CLI interface with some easy things like airpyrt root --address x.x.x.x --pass <passwd> or airpyrt jailbreak ... ?

I've got some ideas about things we could do to boost up the uses of these products ^^

[lowlevl]

@x56 / @samuelthomas2774 (Up)

[lowlevl]

@samuelthomas2774 / @x56 I really need to ask you some question do you have Discord ?

[lowlevl]

Up ? @samuelthomas2774 @x56

[samuelthomas2774]

@Nurrl I'm on Discord if you want to talk to me on there: https://discordapp.com/invite/qc9SZwq. I've not really done much work with AirPort devices since my first reply other than attempting to rewrite this project in JavaScript.

[NoahCardoza]

Hi @Nurrl,

To enable SSH on an AirPort base station you just need to set the dbug property to 0x3000, like this:

python -m acp -t {ipv4-address} -p {password} --setprop dbug 0x3000
python -m acp -t {ipv4-address} -p {password} --reboot

Then connect to the device with the username root and whatever password you use to manage the device.

As far as I know all AirPort base stations run NetBSD, but I only have two different models to test. The AirPort Extreme 802.11ac (version 7.7.8) runs NetBSD version 6.0, and the AirPort Express 802.11n (2nd Generation, version 7.6.8) runs NetBSD version 4.0. I am able to connect to them using SSH to set static routes and can also manipulate the PF ruleset to do what I want. I am unable to get native IPv6 over PPPoE working though. It isn't a full install of NetBSD though and is missing some utilities. The filesystem is also reset at boot. If you want to save anything you need to save it in /mnt/Flash.

I've uploaded the scripts I use and other information about AirPort base stations here: https://github.com/samuelthomas2774/airport.

How would you reverse this? What would you set dbug to?

[samuelthomas2774]

The default is 0 so:

python -m acp -t {ipv4-address} -p {password} --setprop dbug 0x0000
python -m acp -t {ipv4-address} -p {password} --reboot

I don’t know any other values for the dbug property or how @x56 knows that 0x3000 enables SSH.

[NoahCardoza]

Great! That's what I was guessing but then I wondered why SSH access wouldn't plainly be 1 and I didn't want to break anything!

Thanks!

[floam]

There are likely a number of bit flags that can be set via dbug, of which enabling sshd is one of. I'm too frightened to just try flipping some bits to 1 to learn what happens however.

I'd love to know the story of how exactly @x56 figured it out. I really assumed one would have to solder pins in and connect via a serial console to get into an AirPort AP.

[1gr8dane]

Well.... I'm a total newbie to this, so I assumed that I, in Terminal, issue the command: python -m acp -t 192.168.1.29 -p password --setprop dbug 0x3000 But when i do that I am told: /usr/bin/python: No module named acp I have Python installed, but no clue on how to use it. What i need is a "how to enable SSH on Airport Extreme, or Time Capsule, for dummies" Can anyone help?

[samuelthomas2774]

@1gr8dane You need to install AirPyrt first. https://github.com/samuelthomas2774/airport/wiki/AirPyrt#installation

[RYunisov]

Hello there! @samuelthomas2774 I have Airport Time Capsule A1470, firmware 7.7.9 I have installed acp module, when try to send property dbug 0x3000 but have receiving error:

INFO:connecting to host 10.0.1.1:5009
DEBUG:old value: 12288 type: <type 'int'>
DEBUG:new value: 12288 type: <type 'int'>
DEBUG:prop: ('dbug', 12288)
DEBUG:ACP message header fields, parsed not validated
DEBUG:magic           'acpp'
DEBUG:header_checksum 0x4dd705ad
DEBUG:body_checksum   0x1
DEBUG:body_size       0x0
DEBUG:flags           0x1
DEBUG:unused          0x0
DEBUG:command         0x15
DEBUG:error_code      -0x10
DEBUG:key             '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
set_properties error code: -0x10

Also I tryed run on node-acp, received that error:

acp setprop dbug 0x3000 --host 10.0.1.1 --password passwd
Connected undefined
Authenticating
Authentication stage one data { state: 1, username: 'admin' }
0 'Sending data' <Buffer 61 63 70 70 00 03 00 01 ff 95 10 fe e6 0d 0b af 00 00 00 24 00 00 00 04 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0e 39 ... >
0 'Receiving data' <Buffer 61 63 70 70 00 03 00 01 5d 41 05 2c 96 64 e2 bd 00 00 01 ca 00 00 00 05 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ... >
0 'Receiving data' <Buffer 43 46 42 30 d0 70 73 61 6c 74 00 4f 10 10 41 15 97 d2 a5 17 70 d5 46 eb f0 ae 9f d3 5a d3 70 67 65 6e 65 72 61 74 6f 72 00 41 02 70 70 75 62 6c 69 63 ... >
Authentication stage two data { salt: <Buffer 41 15 97 d2 a5 17 70 d5 46 eb f0 ae 9f d3 5a d3>,
  generator: <Buffer 02>,
  publicKey:
   <Buffer 7e c6 db 4b 5f f8 a8 cc 56 27 2b b0 e5 74 f3 93 26 8c f7 db 03 fc d4 4f b6 7c 38 93 20 ff d1 75 c5 5d d3 f5 53 cb 0f a3 81 dc 05 4b 08 e9 72 ec e0 42 ... >,
  modulus:
   <Buffer 9d ef 3c af b9 39 27 7a b1 f1 2a 86 17 a4 7b bb db a5 1d f4 99 ac 4c 80 be ee a9 61 4b 19 cc 4d 5f 4f 5f 55 6e 27 cb de 51 c6 a9 4b e4 60 7a 29 15 58 ... > }
getA: client key length 190 is less than the recommended 256 bits
Authentication stage 3 data { iv: <Buffer bf e5 c9 42 30 d3 5b e9 f8 dc ad 42 b8 0c 03 10>,
  publicKey:
   <Buffer 32 53 43 ae 0a 81 52 ad 90 f7 3b 82 25 d6 60 79 3b 9d 0f 89 4c 30 48 af 78 35 99 27 ca 13 1b 94 1b 0f 12 ca c0 cd f0 06 c0 8d 3b 65 8b ef f7 bb 56 00 ... >,
  state: 3,
  response:
   <Buffer 22 b4 99 48 15 25 5e 1f ed a2 48 fc 76 de 8a 05 d9 e1 f4 0d> }
0 'Sending data' <Buffer 61 63 70 70 00 03 00 01 dd 73 10 b3 01 91 82 58 00 00 01 19 00 00 00 04 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0e 39 ... >
0 'Receiving data' <Buffer 61 63 70 70 00 03 00 01 2a 0a 05 4a 00 00 00 01 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 1a ff ff e5 9e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ... >
Error: Authenticate stage 4 error code -6754
    at Client.authenticateStageThree (/usr/local/lib/node_modules/node-acp/dist/client.js:344:19)

Am I wrong?

[iibach]

The default is 0 so:

python -m acp -t {ipv4-address} -p {password} --setprop dbug 0x0000
python -m acp -t {ipv4-address} -p {password} --reboot

I don’t know any other values for the dbug property or how @x56 knows that 0x3000 enables SSH.

I tried. 0x0000 doesn't work. Need to SSH into the airport and remove the dbug value. I forgot the exact command since I turn the ssh off already. something like acp {remove prop} dbug. Tried that, it should work since I cannot ssh back it now..:P

[0x416c6578]

Following @iibach 's comment, the command is acp remove dbug which should disable sshd.

[bzember]

Hello there! @samuelthomas2774 I have Airport Time Capsule A1470, firmware 7.7.9 I have installed acp module, when try to send property dbug 0x3000 but have receiving error:

INFO:connecting to host 10.0.1.1:5009
DEBUG:old value: 12288 type: <type 'int'>
DEBUG:new value: 12288 type: <type 'int'>
DEBUG:prop: ('dbug', 12288)
DEBUG:ACP message header fields, parsed not validated
DEBUG:magic           'acpp'
DEBUG:header_checksum 0x4dd705ad
DEBUG:body_checksum   0x1
DEBUG:body_size       0x0
DEBUG:flags           0x1
DEBUG:unused          0x0
DEBUG:command         0x15
DEBUG:error_code      -0x10
DEBUG:key             '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
set_properties error code: -0x10

Also I tryed run on node-acp, received that error:

acp setprop dbug 0x3000 --host 10.0.1.1 --password passwd
Connected undefined
Authenticating
Authentication stage one data { state: 1, username: 'admin' }
0 'Sending data' <Buffer 61 63 70 70 00 03 00 01 ff 95 10 fe e6 0d 0b af 00 00 00 24 00 00 00 04 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0e 39 ... >
0 'Receiving data' <Buffer 61 63 70 70 00 03 00 01 5d 41 05 2c 96 64 e2 bd 00 00 01 ca 00 00 00 05 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ... >
0 'Receiving data' <Buffer 43 46 42 30 d0 70 73 61 6c 74 00 4f 10 10 41 15 97 d2 a5 17 70 d5 46 eb f0 ae 9f d3 5a d3 70 67 65 6e 65 72 61 74 6f 72 00 41 02 70 70 75 62 6c 69 63 ... >
Authentication stage two data { salt: <Buffer 41 15 97 d2 a5 17 70 d5 46 eb f0 ae 9f d3 5a d3>,
  generator: <Buffer 02>,
  publicKey:
   <Buffer 7e c6 db 4b 5f f8 a8 cc 56 27 2b b0 e5 74 f3 93 26 8c f7 db 03 fc d4 4f b6 7c 38 93 20 ff d1 75 c5 5d d3 f5 53 cb 0f a3 81 dc 05 4b 08 e9 72 ec e0 42 ... >,
  modulus:
   <Buffer 9d ef 3c af b9 39 27 7a b1 f1 2a 86 17 a4 7b bb db a5 1d f4 99 ac 4c 80 be ee a9 61 4b 19 cc 4d 5f 4f 5f 55 6e 27 cb de 51 c6 a9 4b e4 60 7a 29 15 58 ... > }
getA: client key length 190 is less than the recommended 256 bits
Authentication stage 3 data { iv: <Buffer bf e5 c9 42 30 d3 5b e9 f8 dc ad 42 b8 0c 03 10>,
  publicKey:
   <Buffer 32 53 43 ae 0a 81 52 ad 90 f7 3b 82 25 d6 60 79 3b 9d 0f 89 4c 30 48 af 78 35 99 27 ca 13 1b 94 1b 0f 12 ca c0 cd f0 06 c0 8d 3b 65 8b ef f7 bb 56 00 ... >,
  state: 3,
  response:
   <Buffer 22 b4 99 48 15 25 5e 1f ed a2 48 fc 76 de 8a 05 d9 e1 f4 0d> }
0 'Sending data' <Buffer 61 63 70 70 00 03 00 01 dd 73 10 b3 01 91 82 58 00 00 01 19 00 00 00 04 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0e 39 ... >
0 'Receiving data' <Buffer 61 63 70 70 00 03 00 01 2a 0a 05 4a 00 00 00 01 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 1a ff ff e5 9e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ... >
Error: Authenticate stage 4 error code -6754
    at Client.authenticateStageThree (/usr/local/lib/node_modules/node-acp/dist/client.js:344:19)

Am I wrong?

do not use IP address, use hostname instead. but I did not know how to resolve name 🙂 , so I made changes in /private/etc/hosts file and added xxx.xxx.xxx.xxx capsule.

I like to thank all of you who help me with changing region on ATC.

edit: hostname of Airport is generated from name. Name "AirPort Extreme 820.11ac" => "Airport-Extreme-802-11ac.local" replace " " and "." with "-" and (probably all non a-z, 1-9 characters too) and add ".local".

[RJVB]

To enable SSH on an AirPort base station you just need to set the dbug property to 0x3000, like this:

python -m acp -t {ipv4-address} -p {password} --setprop dbug 0x3000
python -m acp -t {ipv4-address} -p {password} --reboot

Old exchange, sorry, but how does one deactivate SSH again? the dbug property didn't exist on my TC, so logically I'd assume you'd want to unset it to disable SSH access and any kind of debug mode, but I see no command to unset a property?

[floam]

0?

[RJVB]

On Monday February 14 2022 16:10:25 Aaron Gyes wrote:

0?

Possibly. SSH access is disabled if you set dbug to something not containing 0x3000 (I mistyped and set 0x300 initially) but setting a property to 0 isn't necessarily the same as unsetting it. Either way, I haven't yet noticed any performance ramifications of setting dbug so I guess 0 will do.

I did notice that a reboot seems to take a lot longer than a powercycle; is that normal?

[floam]

These are likely flags in an enum. There are possibly a number of debug flags that can be flipped on or off here with bitwise operations.

Obviously 0x300 (0x0300) and 0x3000 are quite different but I'm gonna bet a dollar zeroing out all the bits is the only way to unset it properly. It'd just be pretty surprising if 0xFFFF was the default, considering all the zeros spaces involved with just turning on SSH.

0x3000 is 0b11000000000000 - it's a decent assumption it's turning two things on. It might actually be the highest value - or there may be many other flags. But your lack of success with 0x300 (again, aka 0x0300 or in binary 0b 0000001100000000) doesn't seem to inform much. 0x300 is likely either invalid and the same as zero or you're flipping on some options we can't predict.

I'd suggest treating zero as the safest way to turn off the debug mode(s).

[x56]

Thanks for trying out my tool and supporting each other with this. I'm closing all issues before archiving the project. If anyone is so inclined, this repo and a couple of my old blog posts contain the building blocks to answer the open questions in the thread.