Engenius ECW230 (Wifi6 4x4 AP) - $125

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.
D

dinh3phan

New Member
Sep 25, 2024
8
1
3
Dave Corder said:
I have notes on my computer on how to change the serial number in the NVRAM - it's pretty easy, you'll just need to crack the unit open and connect to the serial header (which I also have notes on). I will post that info after work today.
Click to expand...
You are amazing. I tried to get some serial numbers on the internet but could not figure out the pattern. Thank you, Dave.
 
D

Dave Corder

Well-Known Member
Dec 21, 2015
387
277
63
42
dinh3phan said:
You are amazing. I tried to get some serial numbers on the internet but could not figure out the pattern. Thank you, Dave.
Click to expand...
This is going to be a bit of a memory dump, but if something needs more explanation I can provide that.

First, see if you are able to get root access via SSH. Try this (assuming you are on a Mac or Linux system):

ssh -o kexalgorithms=diffie-hellman-group14-sha1 -o hostkeyalgorithms=ssh-rsa admin@IP_OF_AP "fw_printenv" | grep sn

This works on a smattering of device and firmware combinations. It seems to have been closed up in recent firmwares, but may still work for your device. Hopefully you'll see output like this:

sn=QPD1XC3YABCD
snextra=QPD1XC3YABCD

If you do, then the rest is easy - you can set those two firmware environment variables easily using the same SSH technique.

ssh -o kexalgorithms=diffie-hellman-group14-sha1 -o hostkeyalgorithms=ssh-rsa admin@IP_OF_AP "fw_setenv sn QPD1XC3YWXYZ"
ssh -o kexalgorithms=diffie-hellman-group14-sha1 -o hostkeyalgorithms=ssh-rsa admin@IP_OF_AP "fw_setenv snextra QPD1XC3YWXYZ"

The format of an EnGenius serial number is this:

XXXXMMMYYYYC

Where:

XXXX = any four characters
MMM = three-character model code
YYYY = any four characters
C = check character of the string "XXXXMMMYYYY" using the Code27 algorithm.

The model code for the EWS377APv3 is X44, and the model code for the EWS377-FIT is X45. The MongoDB container for a local FIT controller has a table with all the models in it that it supports(I think it's just called 'model' or 'models' - I'd have to check my notes). The Cloud FIT controller may have other, newer models in it.

If the SSH commands above don't work for you, I would recommend just opening up the unit and getting to the UART pads and getting root access that way. (You could try reverting back to a EWS377-FIT firmware from a year or two ago and seeing if that exploit is unpatched in that version, but you could easily brick your unit doing that, so I wouldn't risk it.) I'll post something about the UART pins as soon as I find the pics I took when I worked on mine and slidermike's. But if you want to go hunting, there are two sets of unpopulated 4-pin headers at the front of the PCB. One of them is the main UART and has the standard EnGenius pinout you can find via Google (you just need to connect RX, TX, and GND on a TTL adapter set to 3.3VDC).

BTW, here's some Python3 code to generate a random serial number:

Python: 
#!/opt/homebrew/bin/python3

import random

CODE27_HASHTABLE = { "0" : "1", "1" : "D", "2" : "K", "3" : "3", "4" : "R", "5" : "5", "6" : "F", "7" : "P", "8" : "W", "9" : "M", "10" : "E", "11" : "4", "12" : "7", "13" : "G", "14" : "T", "15" : "X", "16" : "8", "17" : "V", "18" : "L", "19" : "2", "20" : "J", "21" : "6", "22" : "C", "23" : "9", "24" : "N", "25" : "Q", "26" : "H" }
VALID_SERIAL_CHARS = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"

def compute_code27_check( serial ):
    sum = 0
    for c in range(0, len(serial)):
        sum = sum + ord(serial[c])
    return CODE27_HASHTABLE[ str(sum % len(CODE27_HASHTABLE)) ]

def get_random_string( str_len ):
    rand_string = ""
    for j in range(0, str_len):
        rand_string += VALID_SERIAL_CHARS[random.randint(0,len(VALID_SERIAL_CHARS)-1)]
    
    return rand_string
 
model_code="X45"
prefix_string = get_random_string( 4 )
suffix_string = get_random_string( 4 )
serial_without_check = prefix_string + model_code + suffix_string
check_character = compute_code27_check( serial_without_check )

print( "{serial}{check}".format( serial = serial_without_check, check = check_character ) )
 
  • Like
Reactions: cybrnook
D

dinh3phan

New Member
Sep 25, 2024
8
1
3
That is so thoughtful and thorough. Thank you. I am onsite for the next few days so I will update the result as soon as I get back. This is the Uart area on my ews377ap v3. It looks like it is the port labelled as "DNI/J2 Uart".
I have bricked a V1, is it possible to flash the whole firmware file into the Flash chip or do we have to pick some area from the firmware file to write to write into some specific areas on the Flash chip ? That V1 has the layout completely different comparing to the V3. I did not notice that until too late, and I did not make the back up from the flash Ic, of course. Anyway, I got 5 for 100+tax Can, and 4 of them are V3!, still a good way to play:)
 

Attachments

D

Dave Corder

Well-Known Member
Dec 21, 2015
387
277
63
42
dinh3phan said:
That is so thoughtful and thorough. Thank you. I am onsite for the next few days so I will update the result as soon as I get back. This is the Uart area on my ews377ap v3. It looks like it is the port labelled as "DNI/J2 Uart".
I have bricked a V1, is it possible to flash the whole firmware file into the Flash chip or do we have to pick some area from the firmware file to write to write into some specific areas on the Flash chip ? That V1 has the layout completely different comparing to the V3. I did not notice that until too late, and I did not make the back up from the flash Ic, of course. Anyway, I got 5 for 100+tax Can, and 4 of them are V3!, still a good way to play:)
Click to expand...
Agree that it's J2. I may have the pinout of the UART connector wrong (working off memory from 6 months ago...). Best to go by the markings on the PCB.

On the V1, you should be able to find the UART and get into a U-Boot shell. From there, you can probably follow standard OpenWRT TFTP-based recovery procedures to re-flash the root FS partition on the flash. Hopefully that's all that got mixed up and not any of the config data in other partitions.

In case you didn't know, the EnGenius AP software is based on OpenWRT. The parent company, Senao, encodes and wraps their firmware images with a custom header. There's a utility out there to un-wrap it, which you could then use Binwalk or something on to extract the images for each partition, and then you'd have something you can TFPT to the AP to write to flash.

I did pretty much that when I converted one outdoor AP model to another that had a different flash layout, just so I could add it to the Fitcon controller. The older model wasn't supported in Fitcon (too old) but the newer model was. As far as I could tell, though, the hardware was basically identical - same CPU and wifi chipsets - so I took a gamble and converted it and was able to adopt it into my local FIT controller.

Four V3 units for $100 CAD is a heck of a steal! I love mine I'll help as best I can to work with you via PM or IM to get the V1 unbricked. If you're in Canada, it's probably not worth the shipping, but if you wanted to send me the V1 I'd be happy to try to recover it for you that way.
 
  • Like
Reactions: dinh3phan
D

dinh3phan

New Member
Sep 25, 2024
8
1
3
Thank you for your valuable sharing.
I have played with a Ews377Ap as soon as I get home, following your instructions.
It tried with the Ssh method first with all available firmwares. The lastest firmware gave nothing. The prior firmwares, they all asked for "admin" password, when I provided the web login for admin, it just said something like admin did not have privileges to do ...
I found using uart was more easier to do, just a little bit of messy removing covers and soldering. Other than that, thank for your super handy python code, it works like a charm with Fit Con.
I am now playing with the V1. Will update if I have any progress or, kill it completely
Thank you so much, Dave.
Btw, this site is the place I got those , do not forget to "offer" for a more attactive price. EnGenius EWS377AP 11ax Managed Indoor Wireless Access Point Q_
 
D

dinh3phan

New Member
Sep 25, 2024
8
1
3
For Ews377apv1 with Fir firmware, surprisingly, connecting to the console showed the unit actually ran Fit firmware, and even provide wireless Management connection. However, the lan port did not work, at all. And the console kept displaying "led dance", yeah ...all leds flashed at 1s period :p. Anyway, I believe I could reverse back to the V1 ap firmware, again thank to Dave's suggestion about Openwrt. To be continued.
 

Attachments

D

dinh3phan

New Member
Sep 25, 2024
8
1
3
The Ews377v1 was recovered easier than I thought: all to do was change active_fw to 0, and that is it. However , flashing it to Fit firmware was not successful with any firmware versions. I might have to dig into the log to see why the lan port was completely disabled.
However, I accidentally figured out that ( or maybe others had figured out already), changing Sn of that unit to a Fit Sn format will help FitController to register the unit. I have not tested it thoroughly but FitController could assign it to a Wifi network, change its network configuration, monitor its clients.
 

Attachments

L

LV73

New Member
Mar 31, 2025
2
0
1
Hello. I have the Engenius Ewc260. Is there any way to flash the firmware from the Ews850Fit? I only want to use it locally as a mesh client. And only make local settings, not via a cloud. Best regards.
 
bvd

bvd

Active Member
Jan 2, 2021
117
111
43
Dave Corder said:
Hehehe, I did a thing...
Click to expand...
Did you actually buy the thing? I ended up running mine in a VM, though the complexity of the VM (the services involved I mean) has me a bit concerned that I'm always 1 upgrade away from a wipe/restore lol
 
  • Wow
Reactions: slidermike
L

luckylinux

Active Member
Mar 18, 2012
837
218
43
I went quickly through the Thread and saw several Mentions of Openwrt.

Yet I don't see anything on the Official OpenWRT Website stating that this Device is supported by "vanilla" OpenWRT :( .

Did I miss something ? Or indeed you are relying on an Unmaintained and old OpenWRT-based build that cannot be "converted" to Mainline ?
 
D

Dave Corder

Well-Known Member
Dec 21, 2015
387
277
63
42
I actually figured out how to run the FitCon100 stack on a Raspberry Pi.

The x86 Docker images for a self-hosted controller are at version 1.5.0, but the FitCon 100 software is up to version 1.6.15. I found that those Docker images are available in the same place as the x86 images, and figured out how to install them on a RasPi (then I replaced the stock image on the splash page, which normally shows a picture of the FitCon100, with a poorly-Photoshoped version with a RasPi :))

More details coming later today (after work)...

Edit: still working out a few quirks. Almost ready...
 
Last edited:
  • Like
Reactions: Dennisjr13 and slidermike
You must log in or register to reply here.
Top Bottom