By default the passwords are “encrypted” so you can not tell what the password is.
No way to view cnPilot WiFi password in the Web UI
We covered decrypting the passwords from the config file from cambium cloud. But what about a local router that is not connected to the cloud. What then?
Thankfully everything you need is on the router. We’ll need to use the command line tools.
Now we can decrypt the password. Replace the string at the end with the encrypted string
3des_hex -d c760ba8ffe65c669
It should now display the decrypted password
# 3des_hex -d c760ba8ffe65c669
12345678#
Note that it puts the # symbol after the password and if you try to type something in, it clears the line. you can use the following to have cleaner output.
So if I want to continuously ping a website, say incredigeek.com, I can put in the following
ping -n 0 incredigeek.com
Hit return and we are off to the races. But wait. I can’t get it to stop. Ctrl + C, doesn’t do anything, Ctrl + D or Ctrl +Z don’t help either.
Okay well fine. We’ll launch another terminal and ssh into it again and see what we can do. Excellent, now we are in aaand… wait… why are the ping results showing up here too? Help!!!
Buried in the heart of the helpful help command are these lines.
ping -- Send ICMP ECHO_REQUEST packets to network hosts
pingend -- End ICMP ECHO_REQUEST packets to network hosts
You don’t say. Well lets try typing in pingend with all the commotion going on in the terminal.
SSH+> pingend
Ping statistics for 142.250.191.206:
Packets: Sent = 3, Received = 3, Lost = 0 (0% loss)
Well good to know. Saves having to reboot the device.
In the cambium cloud you can retrieve a config from a router, modify it and reapply it or make a template from it. All the passwords are “encrypted” so you can’t read what the WiFi password is for example.
Example config line looks like
WPAPSK1=[c760ba8ffe65c669]
Looks like it uses some sort of des3 hex encryption.
Fortunately there is a utility on the routers we can use to decrypt the encrypted string.
First we need a router that we can SSH into.
Info on the encryption
The Cambium router uses the 3des_hex utility to decrypt and encrypt strings
It is located /sbin/3des_hex
Decrypting a password
Decrypting is super easy.
3des_hex -d "c760ba8ffe65c669"
Replace the key with the key you want to decrypt.
Encrypting a password
Not really sure if this would ever be needed, but you can use the -e option to encrypt a string
3des_hex -e "12345678"
More info.
It looks like it needs the lib file “/lib/libuClibc-0.9.33.2.so”
/sbin/3des_hex is where the main file is stored though.
The config_manager.sh script in /sbin has the functions that encrypt and decrypt the config lines.
Had a radio briefly showing an error in red on the web page saying “Bandwidth PLL lock lost” The radio seems to operate so not sure if it is an actual issue or maybe an ongoing bug.
We have been experiencing a problem with our Cambium routers where they randomly drop and are unresponsive till a reboot. They’ll also stop handing out addresses on the LAN side.
A reboot “fixes” the problem, until it does it again. You can trigger the behavior by running a port scan against the router. Wondering if the CPU/Memory get overloaded?
nmap -T4 -A -v 192.168.11.1
While running a scan on the LAN side, the web interface slows down, but doesn’t seem to take it down as fast as a scan on the WAN side.
goahead.sh is a script that may be maxing out the cpu, but could be completely unrelated.
Resolution
Configuring the “Allowed Remote IP(IP1;IP2;)” to limit WAN access effectively blocks port scans and resolves the issue. Setting is under Administration -> Management -> Web Settings. You can add multiple ranges with
10.0.0.0/8;172.16.0.0/12;192.168.0.0/16
Configure Allowed Remote IP cnPilot R195W
It looks like the public ip ranges are limited to /24’s so if you you have a block of public IP addresses larger than a /24, you’ll need to break it down into 24’s to work properly.
Template for cnMaestro
You can also create a template in the Cambium Cloud so you can apply the change to multiple routers fairly easily.
Go to Configuration -> Templates and add a new template.
And then you can go to your device -> Configuration and apply your new config.
Apply Allowed WAN IPs Template
Do note that if you run a scan from an allowed range, it still seems to cause problems. But at least setting the Allowed Remote IPs will keep others from scanning your network and causing problems on your R195’s.
nvram_
nvram_get nvram_set
nvram_get
Usage:
nvram_get [] []
command:
rt2860_nvram_show - display rt2860 values in nvram
rtdev_nvram_show - display 2nd ralink device values in nvram
show - display values in nvram for
gen - generate config file from nvram for
renew - replace nvram values for with
clear - clear all entries in nvram for
platform:
2860 - rt2860
rtdev - 2nd ralink device
file:
- file name for renew command
nvram_get show
2860
nvram_get show 2860
The following are errors that are returned when trying to ssh to a device.
Cambium 450i PMP Equipment
Unable to negotiate with 192.168.0.1 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1,diffie-hellman-group14-sha1
The following template can be used to set the user name and passwords for cambium pmp gear. Create a new template in cnMaestro, past in the following, change the passwordEncrypted to the hash of your password and run the config.
You can get the hashed password by pulling it out of a current radio config.
