macsat.com OpenWrt and ASUS WL Forum

My Device is SMCWAPS-G with an internal HD.  This concept should work on other brands as well.  Here's one way to enable telnetd on unmodified firmware by using FTP and backup_usb.sh.  This mod will reset after you reboot the Device.


SMC Firmwares
http://62.168.45.50/smc/drivers/storage/WAPS-G/
http://62.168.45.50/smc/drivers/storage/WAPS-G/R400b8a/

R4.00b8a   2006/9/8   
Fix the problem: After upgrading the firmware R400b8, SMC_WAPS-G will may not start the internal harddisc sometimes.

R4.00b8      2006/8/24   
If harddisc has been idle for more 5 minites, it will become powerdown state.

R4.00b5v4   2006/3/13   
Modified the "Router" texts to "SMCWAPS-G" in Backup setting option.

R4.00b5v3   2006/3/10      
Modified all "barricade" texts to "SMCWAPS-G" in UI.  added a message on login page.( the default password is smcadmin!)

** R4.00b5v3 & R4.00b5v4 has telnetd in busybox.
** R4.00b8a has no telnetd. 
** If your device is not SMC, please follow direction to change firmware header


-------
Steps
-------

1. Enable FTP on the Device

-----------

2. How to enable FTP for root with / folder access?

a. FTP into Device using Username nobody and Password of <blank> (no password).  Filezilla is a good FTP app to use.

b. Download /etc/passwd to your computer

c. Edit local copy of passwd and change root account to following (set root's password to same as nobody's)
root:$1$$qRPK7m23GJusamGpoGLby/:0:0:root:/:/bin/ash

d. FTP into Device using Username nobody and upload local passwd file to /etc/passwd

e. Now you can FTP as Username root and Password of <blank> (no password) with access to root directory

f. If you mess up passwd file and lock yourself out, please reboot the Device to reload passwd.

-----------

3. Busybox with telnetd?  Get a file listing of /sbin.  If your busybox has telnetd, you will see the file telnetd.  If your version of busybox has no telnetd, you can get another version of busybox with telnetd.  SMC's R4.00b5v4 busybox has telnetd.  You can obtain it thru:
a. Flash R4.00b5v4's firmware.  Download R4.00b5v4's /bin/busybox as busybox.b5v4  (thru FTP)
b. Download and extract attached file busybox.b5v4.zip
c. Download from URL http://rapidshare.com/files/59329456/busybox.b5v4.html (http://rapidshare.com/files/59329456/busybox.b5v4.html)

If your busybox has no telnetd:
a. Upload busybox.b5v4 to /bin/busybox.b5v4
b. Set execute permission on busybox.b5v4 (thru FTP)

-----------

4. Start telnetd in /bin/backup_usb.sh (backup function).

a. FTP into Device as root. 

b. Download /bin/backup_usb.sh to local

c. Modify local file backup_usb.sh and add "busybox telnetd &" or "busybox.b5v4 telnetd &" after the first line.
#!/bin/sh
busybox telnetd &
#   or
# busybox.b5v4 telnetd &   
#   or
# telnetd &

d. Insert a flash drive into Device's USB port

e. On the Device, hold down backup button for 4+ seconds to start /bin/backup_usb.sh.  This will start telnetd.

-----------

5. Telnet into the Device as Username root and Password of <blank> (no password)

Thank you for the information.
I tried to get telnetd and dropbear ssh working, but failed.
Telnetd reported "all terminals in use". However no pty support in kernel would be more precise.
I was also not able to overwrite busybox, but I didn't try it with ftp. I used the /-symbolic link directory traversal hack, I described here: http://www.macsat.com/macsat/component/option,com_openwiki/Itemid,66/id,temporary_modifications_to_the_initrd/

I have a Level-1 WAP-0007

Seems like no telnetd for me without updating the kernel, but I also need netfilter, which also cannot be loaded completely as module :(

Hi,

Just a short note; I tried this route but on my CHD2WLANU (both b5 and b7 software) the user nobody does have a password so this trick doesn't work. Flashing it with b7unlock and then with Schufti's 400s0 worked fine; I now have telnet and autoexec.

Ernst

Hi!

Don't use the damn b7unlock. Nowadays for all vendors there is an GPL capable FW available (even from perl). With that FW you can load any of my update FW and hey-presto telnet is enabled.

b7unlock users:
depending on what box you had, you will panic if you try to do the next orig FW update...

schufti

Actually, Safecom don't appear to have released any new firmware since the box first came out.

Hello,

I'm new here, but I just got an SMCWAPS-G.  The FW version is R4.00b5v3.

I wanted to try to enable telnet per the original post.

I can FTP in as "nobody", and get the /etc/passwd file, but when I cannot upload to the SMCWAPS-G.  When I try to upload I get "Unable to create file".

Here's what "/" looks like when I FTP in as "nobody":

ftp> pwd
257 "/"
ftp> ls -al
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x   18 0        0            1024 Aug 30 23:50 .
drwxr-xr-x   18 0        0            1024 Aug 30 23:50 ..
drwxr-xr-x    2 0        0            1024 Aug 30 23:50 Configure
drwxr-xr-x    2 0        0            1024 Jan 11  2006 bin
drwxr-xr-x    3 0        0            6144 Aug 30 23:50 dev
drwxr-xr-x    6 0        0            1024 Aug 30 23:50 etc
drwxr-xr-x    2 0        0            1024 Jan 11  2006 home
drwxr-xr-x    4 0        0            1024 Jan 11  2006 lib
drwxr-xr-x    3 0        0            1024 Jan 11  2006 libexec
lrwxrwxrwx    1 0        0              11 Jan 11  2006 linuxrc -> bin/busybox
drwx------    2 0        0           12288 Jan 11  2006 lost+found
drwxr-xr-x    4 0        0            1024 Aug 30 23:50 mnt
dr-xr-xr-x   39 0        0               0 Aug 30 23:50 proc
drwxr-xr-x    2 0        0            1024 Jan 11  2006 root
drwxr-xr-x    2 0        0            1024 Jan 11  2006 sbin
dr-xr-xr-x    3 0        0            1024 Aug 31 06:36 share
drwxr-xr-x    2 0        0            1024 Jan 11  2006 tmp
drwxr-xr-x    3 0        0            1024 Aug 30 23:50 usr
drwxr-xr-x    7 0        0            1024 Aug 31 06:36 var
226 Directory send OK.
ftp: 1198 bytes received in 0.01Seconds 119.80Kbytes/sec.
ftp>

I guess that it looks like everything is owned by root:root, so the "nobody" user can't write to the filesystem, so I was wondering how to accomplish what was described in the original post on this thread?

Thanks,
Jim