I think I have a way to crossflash them, but I need to find a couple model-specific pieces of information. If you still have that backup, it might contain what I need, otherwise I think I'm going to have to break out my USB to serial adapter and open up one of my APs and connect to the UART console...
Engenius ECW230 (Wifi6 4x4 AP) - $125
- Thread starter bvd
- Start date
Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.
Well, I have a root console via the UART on one of my ECW230's. It may only be a matter of time now before I find a way to flash it to an ECW377v3...
Success! I flashed it with the latest EWS377APv3 firmware (EWS377APv3-v3.9.3.2_c1.9.51.bin). After it rebooted, I got the non-cloud UI and can see the registration check code I need to adopt it into ezMaster (which I did).
There's a Senao-specific header at the beginning of the firmware .bin file. It has a vendor ID, device ID, and magic number in them. The cloud web UI performs a rudimentary check of those three parts of the header to see if the firmware is valid. All I needed to do was update the EWS377APv3-v3.9.3.2_c1.9.51.bin file with a hex editor with the values expected by the ECW230v3 stock firmware, and then it happily accepted and flashed the firmware image. Once it rebooted, it was just a matter of grabbing the registration check code from the new web UI and using it in ezMaster. I can provide more detail later, but this is what the header needs to look like:
In particular, it's the 0101 at bytes 7-8, then 011c at 11-12, and the D00DFEED at the end that need to be set for the stock cloud firmware to validate the bin file.
Now I just need to test the AP and see if actually works with the firmware (beyond being able to present the web UI and show the check code).
Edit: IMPORTANT! Reset the AP to factory defaults after cross-flashing the firmware. Mine would not actually connect to ezMaster until I did so. After resetting, the model number shows up as EWS377APv3 in the web UI and ezMaster is able to push the configuration to it.
There's a Senao-specific header at the beginning of the firmware .bin file. It has a vendor ID, device ID, and magic number in them. The cloud web UI performs a rudimentary check of those three parts of the header to see if the firmware is valid. All I needed to do was update the EWS377APv3-v3.9.3.2_c1.9.51.bin file with a hex editor with the values expected by the ECW230v3 stock firmware, and then it happily accepted and flashed the firmware image. Once it rebooted, it was just a matter of grabbing the registration check code from the new web UI and using it in ezMaster. I can provide more detail later, but this is what the header needs to look like:
In particular, it's the 0101 at bytes 7-8, then 011c at 11-12, and the D00DFEED at the end that need to be set for the stock cloud firmware to validate the bin file.
Now I just need to test the AP and see if actually works with the firmware (beyond being able to present the web UI and show the check code).
Edit: IMPORTANT! Reset the AP to factory defaults after cross-flashing the firmware. Mine would not actually connect to ezMaster until I did so. After resetting, the model number shows up as EWS377APv3 in the web UI and ezMaster is able to push the configuration to it.
Last edited:
Now I'm tempted to pick up a Netgear WAX218 off eBay and see if those are cross-flashable, too (there's a couple there going for about a hundred bucks).
Edit: The WAX218 has 512 MB of RAM, the EWS377APv3/ECW230 has 1 GB, and they have slightly different partition layouts on their NAND flash, so I'm not going to pursue this...got enough other little projects on my plate.
Edit: The WAX218 has 512 MB of RAM, the EWS377APv3/ECW230 has 1 GB, and they have slightly different partition layouts on their NAND flash, so I'm not going to pursue this...got enough other little projects on my plate.
Last edited:
@Dave Corder , do you think you would be kind enough to share a step by step tutorial for those of us who have the same APs, loath cloud based but are not as experienced (but willing to follow the lead)?
I bought a pair of these based on all the rave reviews and while they are ok, having the ability to manage them locally would be much better.
Thank you
Mike
I bought a pair of these based on all the rave reviews and while they are ok, having the ability to manage them locally would be much better.
Thank you
Mike
Yeah, I'd be happy to, but it'll probably be a day or two before I can get to that. I'm not sure about publicly posting the modified firmware file, but if you want to PM me I can send it to you.
It should take a json payload... I think?
Engenius only publicly documents their cloud API as far as I'm aware, but they don't really link it anywhere that I've found... You just kinda 'have to know about it' I guess (kinda lame). You can find it here, though it won't be terribly useful for this endeavor (in case anyone's looking for it in the future!)
The tough part would be flashing it back once you figured it out - even if you somehow get a copy of the cloud firmware, they do definitely have checksums built in which seemed to block me from going back. I still need to find the time to look for the old backup, I never delete anything so it has to be around here somewhere :|
Last edited:
I don't know if this is against the rules on STH (I'll remove it if it is), but here's the ECW377APv3.bin file modified to be able to be flashed onto the ECW230 (v3) hardware though the basic web UI on it. Wait about 10 minutes for the flash process to complete and the unit to reboot, then log back into the web UI (it'll still say ECW230 at this point) and perform a factory reset. Wait for that to complete and log back in again and the web UI should now say "EWS377APv3"). From there it should be the same as a real ECW377APv3 (complete with the check code to add it to ezMaster), but I make no promises about functionality or that the process won't brick your unit or somehow set it on fire or kick your dog or something...
mega.nz
(If you come across the post in the future and the link is dead, PM me and I'll re-upload it).
24.35 MB file on MEGA
(If you come across the post in the future and the link is dead, PM me and I'll re-upload it).
@Dave Corder thank you for sharing your hard work. I was able to flash my device and add to ezMaster by following your approach and using your modified firmware. Brilliant!
Same for me. @Dave Corder efforts and directions are much appreciated. Both of my acw230's had to be power cycled after the firmware flash but otherwise it went as described. Pending the new proxmox environment build in a few weeks, i can get a VM spun up for ezMaster. Great not having to rely on the cloud for local configuration.
I'm very curious about this piece as well. I'm going on vacation for most of next week, but I intend to look at this piece as well when I get back. (I found an online hash calculator that uses a handful of common and simple algorithms, and was able to determine that the check code is *not* based on a simple checksum on the serial number, base MAC address, or a combination of the two.)
Glad to hear it's worked for a couple of people so far! I was PM'd a question about future firmware updates...I plan to poke around at that piece when I get back from my vacation and see I can figure out what we can expect when a new FW comes out.
You know... Engenius uses a certificate file to validate the device as part of connecting it to their cloud. Now I'm wondering if perhaps that isn't stored separately from the firmware, perhaps in a different partition or something if not a separate chip, and you could still 'somehow' register it to their cloud...
Not that I'd recommend trying it, as I'm guessing it'd raise some alarms
Quite possibly... there are a bunch of partitions on the flash (IIRC, the prompt to reset to factory defaults said it was going to erase the userconfig partition):You know... Engenius uses a certificate file to validate the device as part of connecting it to their cloud. Now I'm wondering if perhaps that isn't stored separately from the firmware, perhaps in a different partition or something if not a separate chip, and you could still 'somehow' register it to their cloud...
Not that I'd recommend trying it, as I'm guessing it'd raise some alarms
Code:
[ 2.305006] Creating 17 MTD partitions on "qcom_nand.0":
[ 2.311155] 0x000000000000-0x000000100000 : "0:SBL1"
[ 2.318063] 0x000000100000-0x000000200000 : "0:MIBIB"
[ 2.322914] 0x000000200000-0x000000500000 : "0:QSEE"
[ 2.329373] 0x000000500000-0x000000580000 : "0:DEVCFG"
[ 2.332555] 0x000000580000-0x000000600000 : "0:APDP"
[ 2.337529] 0x000000600000-0x000000680000 : "0:RPM"
[ 2.342651] 0x000000680000-0x000000700000 : "0:CDT"
[ 2.347171] 0x000000700000-0x000000780000 : "0:APPSBLENV"
[ 2.352031] 0x000000780000-0x000000e20000 : "0:APPSBL"
[ 2.362152] 0x000000e20000-0x000000e80000 : "cert"
[ 2.363211] 0x000000e80000-0x000000f20000 : "userconfig"
[ 2.367524] 0x000000f20000-0x000000f80000 : "crashdump"
[ 2.372808] 0x000000f80000-0x000001000000 : "0:ART"
[ 2.377901] 0x000001000000-0x000007f00000 : "rootfs_1"
[ 2.464346] 0x000007f00000-0x000008800000 : "0:WIFIFW_1"
[ 2.471853] 0x000008800000-0x00000f700000 : "rootfs"
[ 2.554527] mtd: device 15 (rootfs) set to be root filesystem
[ 2.554789] mtdsplit: no squashfs found in "rootfs"
[ 2.559251] 0x00000f700000-0x000010000000 : "0:WIFIFW"I switched over from my Ruckus APs to my new EnGenius APs last night. So far, so good. Used the same SSIDs and passphrases, and everything reconnected to the new APs fairly seamlessly (including my crapton of IoT devices).
I noticed that the ezMaster VM they provide supports HTTPS on the web UI, but (as far as I can find) doesn't actually give you a way to upload a custom cert. This is annoying, because a) you get that annoying browser warning about a self-signed cert when using HTTPS and b) Chrome won't auto-fill passwords on the login page.
Since I'm using Proxmox, I simply rebooted my ezmaster VM with a Ubuntu Live CD ISO, which auto-mounted the VM disk (plain old ext3 filesystem), and then replaced these files with new ones from the certificate authority on my OPNSense install:
I stumbled upon this almost by accident, when I noticed that the backup file you can download from ezMaster is just a gzip file (despite the .bin extension) and, when extracted, I found a nginx.conf file, which conveniently had the paths to the cert and key files.
I could probably use the same trickery to set up an automatic redirect from HTTP to HTTPS as well...I'll give that a try tomorrow (I have a few other things behind Nginx reverse proxies that already do exactly that, so I can probably just copy the relevant sections out of their configs and be done).
I noticed that the ezMaster VM they provide supports HTTPS on the web UI, but (as far as I can find) doesn't actually give you a way to upload a custom cert. This is annoying, because a) you get that annoying browser warning about a self-signed cert when using HTTPS and b) Chrome won't auto-fill passwords on the login page.
Since I'm using Proxmox, I simply rebooted my ezmaster VM with a Ubuntu Live CD ISO, which auto-mounted the VM disk (plain old ext3 filesystem), and then replaced these files with new ones from the certificate authority on my OPNSense install:
/usr/share/ezmaster/conf/nginx.crt
/usr/share/ezmaster/conf/nginx.keyI stumbled upon this almost by accident, when I noticed that the backup file you can download from ezMaster is just a gzip file (despite the .bin extension) and, when extracted, I found a nginx.conf file, which conveniently had the paths to the cert and key files.
I could probably use the same trickery to set up an automatic redirect from HTTP to HTTPS as well...I'll give that a try tomorrow (I have a few other things behind Nginx reverse proxies that already do exactly that, so I can probably just copy the relevant sections out of their configs and be done).
Wasnt that available under the maintenance section...? Or maybe thats only from the switch interface (where one of their neutron switches acts as a controller for APs), I can't remember come to think of it...
In either case though (even if there was a UI way to do it), one still wouldn't be far off the mark with just the same general sentiment lol -, there are a hundred things like this with engenius, completely undocumented stuff that their support's answered years and years back, ways to do things that make sense only to those who've done it before, etc.
The entire architecture of ezM needs a pretty significant refresh really (postgres version... 8?!?! Not to mention nginx, php, and so many others), but I dont think its ever going to happen. They've used ezM as the base for their new controller which is significantly more modern, and its pretty slick really, I just wish they had an option with all the cloud connectivity stripped out (to be fair I guess, its not required).
I am happy @Dave Corder freed us from the cloud management of the 235 but I agree, ezMaster gui is not a great solution. I was hoping for a more intuitive and user friendly "on premise" solution but it is still better than cloud only.