try putting the /etc/shadow
file with the password set on the image built. I think that it should work
but I think that it is safer to use a script like this:
/usr/bin/passwd root <<EOP
123456
123456
EOP
and you can put it on you image like this:
mkdir ./files/etc/uci-defaults/
cat <<'__EOF__' > ./files/etc/uci-defaults/99_default-password.sh
#!/bin/sh
[ "$(uci -q get system.@system[0].init)" = "" ] && exit 0
[ -e /etc/init ] && exit 0
touch /etc/init
uci batch <<EOC
set system.@system[0].init='initiated'
commit
EOC
/usr/bin/passwd root <<EOP
123456
123456
EOP
exit 0 # IMPORTANT, IF WE NO PUT THIS, WILL EXECUTED ENDLESSLY
__EOF__
you can find my sample for setting default password from label for Tp-link routers here, it uses same method: How to read TP-Link factory wireless pin from flash - art - #6 by braian87b
it is better if you add your ssh public key to the image, and also have a 2nd way to access it,
you can have two different dropbear configuration (one default that only allows you to enter with your ssh key and another in another port for emergency if you lost you ssh key)
if someone reset it again you can enter using your ssh key and remove the emergency dropbear entry, or set another random password, or if you cannot access you can instruct someone to reset and you can enter from LAN with default password. You may want to allow 2222 from wan on firewall to access remotely but it is better to have a vpn or remote access to lan, but overall 22 will only be secure to bruteforce password attacks but not so much for new 0-day exploits on dropbear.
cat<<'EOF' > /etc/config/dropbear
# public-key only (no password allowed) access
config dropbear
option PasswordAuth 'off'
option RootPasswordAuth 'off'
option Port '22'
# Normal dropbear/ssh access (for local LAN)
config dropbear
option PasswordAuth 'on'
option RootPasswordAuth 'on'
option Port '2222'
EOF