I have acquired a retired Aerohive BR100 which is an Atheros AR9331 based system that seems to be based on the AP121 standard with 16MB flash and 64MB RAM.   See https://wikidevi.com/wiki/Aerohive_BR100 for additional details.  Apparently Aerohive does not conform to the GPL license and no source is available.  Uboot appears to be password locked.  See log from console port below:

AP121-2MB (ar9330) U-boot

DRAM:  64 MB
Top of RAM usable for U-Boot at: 84000000
Reserving 210k for U-Boot at: 83fc8000
Reserving 136k for malloc() at: 83fa6000
Reserving 44 Bytes for Board Info at: 83fa5fd4
Reserving 36 Bytes for Global Data at: 83fa5fb0
Reserving 128k for boot params() at: 83f85fb0
Stack Pointer at: 83f85f98
relocating and jumping to code in DRAM
Now running in RAM - U-Boot at: 0x83fc8000
flash size 16777216, sector count = 256
ag7240_enet_initialize...
: cfg1 0xf cfg2 0x7114
eth0: 08:ea:44:05:b6:80
eth0 up
: cfg1 0xf cfg2 0x7214
eth1: 08:ea:44:05:b6:81
athrs26_reg_init_lan
ATHRS26: resetting s26
ATHRS26: s26 reset done
eth1 up


chip #0: First 0x6 last 0x6 sector size 0x10000
^H^H^H^H   6
Hit the space bar to stop the autoboot process:  0 
Password:

I can get shell access using the default admin/aerohive credentials. However, the shell doesn't appear to be a busybox shell and appears to be locked down as I could not seem to identify any valid command.  Anyone out there have any idea how to determine the Uboot password and/or how to get an actual usable shell?  Wikidevi has dmesg output left by an anonymous user that appears to have originated in Germany.  I assume from this that someone has determined a way to get shell access to the system.

Should be quite simple really if you get the right prerequisites.

First, get yourself a SPI reader. Either go DIY like this post with detailed instructions here (instructions are simple and requirements are minimal): http://write-code.blogspot.co.uk/2012/0 … m8650.html

Or buy one on eBay for $20. Or get a Bus Pirate device, since they can read lots of things.

Then connect everything up to the SPI flash chip of the device. I recommend using the power from a orange 3.3V wire from an ATX PSU instead of the batteries in that simple circuit from the blog I linked then you should be 100% good to go.

Make sure to keep the reset button pressed at all times in order to halt the CPU while you are using SPIPGM so it does not interfere with your flash chip reading attempts. Try without reset button pressed first to see if it works. Or, if you have a hot air gun just desolder the chip and do it off circuit.

Then, after you get a dump of the flash chip try and run binwalk on it to see if you can detect the partitions and unpack the dump into its components such as UBoot, kernel, rootfs etc.

Next, use a software like IDA or radare2 to decompile the UBoot binary and find its password (no need to understand assembly, it will be easy to spot since it's just a quick password check). Try and search for the string "Password" and you will find the correct password pretty quickly.

Please report back and let us know how it goes or if you need any help. Keep up the good work on those Merakis !

(Last edited by bulanula on 16 Aug 2016, 23:57)

I don't know if the original poster solved their question or not, but for anyone who is googling this problem and coming across this thread hoping for the answer:

Try this password: administrator

I have not tried this on the BR100 specifically, but this is worth trying, since it works on another Atheros-based Aerohive device that I have.

Now, a new question:  Does anyone know what the password is for the undocumented _shell command in HiveOS?  I cannot find *that* anywhere.  It would be nice to have, since that may allow reflashing these devices without having to take them apart to access the UART.

The password for the _shell command is unique to each device. The only way I have gotten them was to have some sort of support case going that required _shell access. I doubt they will just give it out upon request.

That said, I have encountered a number of them where that password was blank.