I have a QNAP QSW-M408-4C and I was wondering what the serial console port was used for, especially since it wasn’t documented anywhere. Well it turns out it’s a full TTY terminal in LEDE Linux. Thanks to u/sinisterpisces’s post who inspired me to find out more about it.
Update
This guide only works for older versions of the firmware, please see marcan’s qsw-tools, for an updated guide.
Requirements
- You will need a Cisco compatible RJ45 Console Port to Serial/USB adapter
Connecting via Serial
Windows (PuTTY)
- Install PuTTY, this is probably also possible to do with PowerShell, but I don’t know how.
- In PuTTY, set the ‘Connection Type’ to “Serial”
- Find the COM port in Device Manager under ‘Ports (COM & LPT)’
- Back to PuTTY, set the ‘Serial Line’ to the COM port you found
- Set the ‘Speed’ to 115200
Linux (Screen)
- Install screen (It’s often already installed)
- Run
ls /dev/tty*to find the Serial Adapter (usually starts with /dev/ttyUSB or /dev/ttyS) - Run
screen [adapter path] 115200to connect
Logging in/out
- Press enter then enter the same username and password used for the web interface
- When logging out type
exitto quit the session
Scripts
There’s multiple scripts just lying around on the switch that can be used for various things. You can find them all with find / -name *.sh.
Here’s a clean list:
root@LEDE:/admin# ls /usr/bin/*.sh /bin/*.sh /sbin/*.sh /etc/*.sh
/bin/ipcalc.sh /usr/bin/firmware_update.sh
/etc/diag.sh /usr/bin/genenvs.sh
/etc/reg_boardinfo.sh /usr/bin/isscli.sh
/etc/setvlans.sh /usr/bin/issip.sh
/etc/start_service.sh /usr/bin/issnet2tap.sh
/sbin/fan_ctrl.sh /usr/bin/isspass.sh
/sbin/led.sh /usr/bin/issswname.sh
/sbin/prepare_system.sh /usr/bin/luacli.sh
/sbin/qsw_fwupgrade.sh /usr/bin/runisscmd.sh
/usr/bin/evdisp.sh /usr/bin/setmode.sh
/usr/bin/event.sh /usr/bin/sys_stat.sh
Here’s a few of the ones I’ve looked at:
sys_stat.shGets/sets fan speeds, temp, rtc, leds, memory, reset, i2c, and mode (--helpworks)isscli.sh“Aricent Intelligent Switch Solution” CLI (also ontcp://localhost:6023, blocked externally by iptables)runisscmd.shRuns piped input as a command on the CLI (eg.echo "help" | runisscmd.sh)luacli.sh“LUA CLI shell”, (?for help, some things cause switch to crash)isspass.shSets the UI Password using said API using the MAC Address as the old passwordreg_boardinfo.shSets MAC, Serial and Model (I think)fan_ctrl.sh&led.shSelf explanatory but doesn’t seem to work
Remote Access
Enabling SSH
The switch seems to have SSH enabled by default but it’s blocked by iptables, here’s how to unblock it:
Enable SSH until reboot
- Type
iptables -L INPUT 2and you should getDROP tcp -- anywhere anywhere tcp dpt:ssh - If you do type
iptables -D INPUT 2 - If you don’t type
iptables -L INPUT --line-numbers | grep sshtheniptables -D INPUT [line number]
Enable SSH permanently
- Edit
/etc/firewall.user- eg.
vi /etc/firewall.user
- eg.
- Add a
#to the beginning of the line that saysiptables -A INPUT -i cpsstap -p tcp --dport 22 -j DROP(likely line 2)- press
ito insert in vi
- press
- Save and reboot
ESC+:wqto save in virebootto reboot in linux
Other Ports
| Line | Port | Comment |
|---|---|---|
| 1 | 161 | SNMP (Community: NETMAN or PUBLIC) |
| 2 | 22 | SSH |
| 3 | 6080 | Aricent Web GUI (Seems to require IE or an older browser) |
| 4 | 6023 | Aricent Telnet CLI (Can already be used though the console using isscli.sh) |
| 6 | 8080 | uhttpd Webserver |
| 8 | 69 | TFTP? Doesn’t seem to be listening |
| 9 | 12345 | ISS408wt.exe is listening |
| 10 | 12346 | ISS408wt.exe is listening |
| 11 | 31337 | ISS408wt.exe is listening |
| 12 | 31338 | ISS408wt.exe is listening |
The Aricent interfaces can be accessed using the admin username and password, or the debug username and password present in /usr/bin/runisscmd.sh. I believe the debug password is the same on every switch, so I wouldn’t recommend allowing them.
Upgrading Firmware
- Download the firmware from the QNAP site onto the switch:
wget <url> - Extract the firmware:
tar -xvf <file name>.img - Run
./firmware_update.sh
You might think qsw_fwupgrade.sh from above would do something, it doesn’t.
Additional Things
Installing Packages
To install packages with opkg:
opkg updateopkg install <package>I installed htop since it wasn’t installed for me
Config
Supermicro also has some CLI documentation for their Aricent Switches that might be helpful.
There’s also some extra VLAN config in /etc/iss_vlan.txt that might let you tag VLAN 1, otherwise I’m sure the Aricent interface will.
Similar things I’ve found
- u/RootSwitch on r/homelab had a go at “Exploring Hidden Features”
- marcan/qsw-tools - Qnap QSW switch tools, Reddit thread
Thanks for reading!
Steve.
Comments
ReplyCat911 Jan 8, 2022
You can delete one line (or just add # at the beginning to comment it out)
Replyiptables -A INPUT -i cpsstap -p tcp --dport 22 -j DROPfrom /etc/firewall.user to keep ssh port open ever after reboot.
Steve-Tech Jan 8, 2022
Thanks so much for this! I'll be sure to add it to the article when I next get a chance to edit it.
Replyarchalien Apr 2, 2023
Hey Steve, fw update failure on QSW-M408-4C lead me here.
ReplyIm trying to re-flash from console port back to working state: QSS web management is no longer being served/accessible on the switch.
Using the instructions from sinisterpisces post: https://www.reddit.com/r/qn...
I am able to get similar console output as he also posted here: https://pastebin.com/Bcb5WkYJ
With one exception, line 474: "Please press Enter to activate this console." is not logged in my output although the other surrounding logging is the same or very similar.
Any advice on getting to the login screen? Thx
Steve-Tech Apr 9, 2023
Hi archalien!
ReplyHave you pressed enter anyway?
Often devices don't know if something is connected over serial, so it doesn't bother showing a login screen until you press enter.