SOLVED: Anyone know what this is on telnet login

I was given a mini router and asked if I could get into it without overwriting the current OS. Firing it up, it picks up an DHCP IP and the only open port is telnet/23.

When I try to login, it gives the following;

tr,aes256-ctr hmac-sha1,hmac-sha2-256,hmac-md5 hmac-sha1,hmac-sha2-256,hmac-md5n

No other controls, nothing I can enter, just sits there.
Never seen this before. Has someone else?
Since it shows something about ssh, does it mean it's using ssh but on port 23?

SOLVED: Turns out it was ssh running on port 23.

1 Like

Is this device running an official version of OpenWrt? If so, which one?

Telnet is no longer included on openwrt for any recent versions. Only ssh. Telnet is not secure.

1 Like

Have you tried using ssh instead on this port?

The message is little strange with all the ciphers available.

1 Like

It's a device that was put inside of my friends solar installation. The installer abandoned him, leaving him to figure out his own system.

I'm trying to help figure out the whole system. This device probably sends some updates from the solar manager to something but I need to understand what it's doing so I can see what my next steps are.

On port 80, I can see MiniBox v1.0 which I found on the openwrt site it doesn't look the same as this device. This device looks like this;


That is probably not running a genuine OpenWrt version if it doesn't actually reflect that on the web interface. You should contact the manufacturer of that device for help.

1 Like

They are out of business. Yes, ssh responded on port 23.
I get a login prompt.

Thanks everyone.

I can log in using ssh on port 23 but as soon as I enter a user name like root, it just throws an ssh error.

ssh fatal error
Disconnected. No supported authentication methods available (server sent publickey)

Likely have to try different ssh keys maybe.

It does reset like openwrt ( with port 80 open for a FW update or maybe others do the same.
I don't know, thought I'd give it a try as it might help with the overall system.

Unfortunately, If it is using public key authentication you have basically zero chance of logging in without knowing the key.

You would need an alternate access exploit to open up ssh first and for an unknown device like this that would seem unlikely, unless you crack it open and what’s inside is actually a more common device.

To move forward you are going to need to open it and connect via serial.

1 Like

I took it apart. There are three holes/pads but no pins. Not worth the time, too much to figure out.
Only two pads have connections and I can't recall if two is enough for a serial connection.

You need Tx, Rx, and ground (3 pins)

Since the device is almost certainly not running an official OpenWrt build, it is technically out of scope for this forum. You may want to find other identifiers for the device and search the web more broadly to get help with that unit.

EDIT: Actually, if this is the correct device, it may be supported by OpenWrt. There isn't much info about it, but maybe you can flash OpenWrt official onto it. To do so, though, you'd have to erase everything on the unit.

That is the device. I thought I mentioned it above.
I decided to solder some pins on it and am seeing output but it's nothing intelligible.

The board looks almost identical to this one.

Yes, I could write openwrt on it but I'm actually trying to get into it to see how it's logging the solar activity.

   Image name:   OpenWrt r49599
   Image type:   MIPS Linux Kernel Image (lzma compressed)
   Data size:    1158832 Bytes = 1.1 MB
   Load address: 0x80060000
   Entry point:  0x80060000

Uncompressing kernel image... OK!
Starting kernel...

[    0.000000] Linux version 3.18.84 (sean@ubuntu) (gcc version 4.8.3 (OpenWrt/Linaro GCC 4.8-2014.04 r49599) ) #1 Tue Jan 30 17:35:50 PST 2018
[    0.000000] bootconsole [early0] enabled
[    0.000000] CPU0 revision is: 00019374 (MIPS 24Kc)
[    0.000000] SoC: Atheros AR9330 rev 1
uboot> help

?           - alias for 'help'
bootm       - boot application image from memory
cp          - memory copy
dhcpd       - invoke DHCP server to obtain IP/boot params
erase       - erase FLASH memory
erase_gs    - erase FLASH support 4_byte mode.
help        - print embedded help
httpd       - start www server for firmware recovery
md          - memory display
mm          - memory modify (auto-incrementing)
mtest       - simple RAM test
mw          - memory write (fill)
nm          - memory modify (constant address)
ping        - send ICMP ECHO_REQUEST to network host
printenv    - print environment variables
printmac    - print MAC address(es) stored in flash
printmodel  - print router model stored in flash
reset       - perform RESET of the CPU
setenv      - set environment variables
setmac      - save new MAC address in flash
startnc     - start net console
startsc     - start serial console
tftpboot    - boot image via network using TFTP protocol
version     - print U-Boot version
write_gs    - write FLASH support 4_byte mode.


Guess I need to go find some documentation on what to do now. I'd like to get it back to port ssh 22 but need to get into the OS. I think I'm in some boot environment.

Never done this before :).

What happens if you hit enter?

Does the device have a reset button?

Sorry, I updated my last comment :).

ok... so it is booting into uboot, not all the way into openwrt. But you can see if you can get the web server running and then try loading a fresh copy of OpenWrt. Normally you'd want to use a "factory" image, but all I see is a sysupgrade option.

I hit enter as it started booting and got into the boot tool
I don't want to overwrite the image. I want to re-gain access to the existing openwrt os now.

uboot> version
U-Boot 1.1.4 (Jul 27 2017)

Guess I just need to dig up some info on this then. Not sure how I'll get to edit the openwrt stuff but I'll need to change the ssh to something normal and set a root password.

Just as an FYI, the firmware on there is ancient (OpenWrt ChaosCalmer 15.05) and has a significant number of security vulnerabilities that are obviously not patched. That device should not be used on the internet at all, and it should probably not be used at all unless it is absolutely guaranteed that only trusted people/systems could gain access.

Why do you want/need to keep the existing firmware and settings on there?

It's only going into the garbage once I am done with it, not on the Internet.
The company that was supporting our systems is leaving us hanging and to fend for ourselves. The components they sold us are no longer available since the company went into bankruptcy.

Since they left us with all the equipment, I figure I'm justified to do what ever we want since we paid for everything. Therefore, I'm trying to figure out how this thing polled the solar system to see if I can continue supporting our systems.

I don't have to share all kinds of personal info about the companies involved, I'm just trying to use open source tools to learn for myself.

I was sure I've read that once you're able to get to the boot level, you can do other things to get back into the existing openwrt OS. I'm looking on the net for old posts, etc.

Oh, I'm not questioning your justification. I'm just asking why you don't want to update it to a newer version that would be more secure.

This is kind of what I was asking... this answers why you might need to keep the existing system intact. That said, it may or may not be clear how it works with your solar system.

I wasn't asking about personal info or companies involved. No, you don't have to tell us about that.

Cool. Honestly the best way to do this would be to use a normal router with OpenWrt (a current version without customization), or really any linux based system. This way you can learn about these systems without the extra hurdles that may have been put in place by the company who provided the device you're working with. OTOH, this does present a fun little challenge to get through those obstacles.

1 Like

I actually want to get into it so I can look at what ever scripts were used etc to poll the systems for details. That's what will give me the leads I need to find a way to monitor our own systems.
The systems are PLC based and this device was inserted inside of another larger device to capture that data. That's what I'm digging for.