I received my device and I have been playing with the OEM firmware to better understand it.
So far I have figured out how ssh and web access work, and why it was confusing early on the thread (ssh and web UI can have a different password).
/etc/shadow has the password for ssh, and probably serial as well (if required).
/etc/config/pwd has the password for the web UI.
There is also has an additional step for enabling ssh.
In addition to enabling the dropbear instance on /etc/config/dropbear, the user has to be authorized for "local ssh" access on /etc/config/pwd.
Here is a summary to reliable get ssh access on the OEM firmware:
- Download config, decrypt, and uncompress it
- To decrypt (assumes downloaded config is called "backup.cfg"):
# openssl enc -d -aes-256-cbc -a -in backup.cfg -out backup.tar.gz -pass pass:AskeyRT5000wKey1357924680 -
/etc/config/dropbear: Enable dropbear instance on lan interface# (change enable from 0 to 1) config dropbear option Interface 'lan' option enable '1' -
/etc/config/pwd: Enable local ssh access for the admin user# (change local_ssh from 0 to 1) config userinfo 'subscriber' option local_ssh '1' -
/etc/shadow: Change password for the admin user to a known value- Example: set password to "askey1234"
admin:$1$0Zm8tfKN$3hW1vziEpFyHfBu.uJ.q61:17410:0:99999:7::: - Compress configuration and encrypt it (assumes source directory is called "backup"):
# tar czf backup-enable_ssh.tar.gz -C backup etc lib # openssl enc -e -aes-256-cbc -a -in backup-enable_ssh.tar.gz -out backup-enable_ssh.cfg -pass pass:AskeyRT5000wKey1357924680 - Upload configuration (device will automatically reboot)
- SSH to the router using "admin" as the user
Credits to @lmore377 for finding how to decrypt and encrypt the config on link (from this thread)