Hiveless

From FnordWiki
Jump to navigation Jump to search

I scored a couple of Aerohive HiveAP 330 WiFi access points from eBay for an agreeable price. I do not want to pay ongoing licensing fees to manage these systems. They should be usable without a connection to big brother.

First things

HiveAP 330 is a fairly cute little box, about 7in x 7in x 1.75in in size.

On the back can be found a console port (Cisco console cables work great!), two gigabit Ethernet ports (ETH0 (PoE enabled) and ETH1), a power connector, and a small reset pinhole.

Attaching the console cable, configuring Kermit for 9600-8-n-1 and no flow control, and powering the AP on, we're greeted with: 

U-Boot 2009.11 (Mar 18 2014 - 16:01:33)

CPU0:  P1020E, Version: 1.1, (0x80ec0011)
Core:  E500, Version: 5.1, (0x80212051)
Clock Configuration:
       CPU0:533.333 MHz, CPU1:533.333 MHz, 
       CCB:266.667 MHz,
       DDR:266.667 MHz (533.333 MT/s data rate) (Asynchronous), LBC:16.667 MHz
L1:    D-cache 32 kB enabled
       I-cache 32 kB enabled
I2C:   ready
SPI:   ready
DRAM:  Configuring DDR for 533.333 MT/s data rate
DDR: 256 MB
FLASH: 64 MB
L2:    256 KB enabled
MMC:  

    PCIE2 connected to Slot 1 as Root Complex (base addr ffe09000)
               Scanning PCI bus 01
        01  00  168c  0030  0280  ff
    PCIE2 on bus 00 - 01 

    PCIE1 connected to Slot 2 as Root Complex (base addr ffe0a000)
               Scanning PCI bus 03
        03  00  168c  0030  0280  ff
    PCIE1 on bus 02 - 03

In:    serial
Out:   serial
Err:   serial
Net:   eth0, eth1
current temperature is 21
Hit any key to stop autoboot:  0 
Password:

some quick Googling has found the U-Boot bootloader password to be administrator. (Simple is good, right?)

hardware info

CPU is an Freescale Semiconductor embedded dual core PowerPC, running at 533MHz. There are 256Mibytes of RAM and 64Mbytes of Flash on the board.

poking around in the boot loader

The boot loader is U-Boot, a free software boot loader. Plenty of documentation to be found scattered across the interwebs about it, but start at its home site.

More than 3 seconds before boot

  • Power on device
  • Interrupt boot loader
  • Enter boot loader password (administrator or AhNf?d@ta06)
  • change the environment setting:
=> setenv bootdelay 15
=> printenv
=> saveenv
=> reset

Watching it boot, should see the 3 second autoboot timeout now be 15 seconds in length.

a root shell without HiveOS

messing around in the HiveOS CLI

Unable to log in with the default HiveOS credentials? (admin/aerohive)? Wipe the AP's config by holding the Reset switch for 10 seconds. Here's a console transcript of that happening: 

ap10-sf login: ******get interrppt from irq 47
gpio ier 800000, imr 800000
****this my gpio interrupt
[board]: Reset-button pressed!
[board]: Reset-button pressed!
[board]: Reset-button pressed!
[board]: Reset-button pressed!
[board]: Reset-button pressed!
[board]: Pressed reset-button over 5 seconds, restore the default factory configuration! 
[board]: Reset-button pressed!
[board]: Reset-button pressed!
[board]: Reset-button pressed!
[board]: Reset-button pressed!
[board]: Reset-button pressed!
Restarting system. 


U-Boot 2009.11 (Mar 18 2014 - 16:01:33)

CPU0:  P1020E, Version: 1.1, (0x80ec0011)
Core:  E500, Version: 5.1, (0x80212051)
Clock Configuration:
       CPU0:533.333 MHz, CPU1:533.333 MHz, 
       CCB:266.667 MHz,
       DDR:266.667 MHz (533.333 MT/s data rate) (Asynchronous), LBC:16.667 MHz
L1:    D-cache 32 kB enabled
       I-cache 32 kB enabled
I2C:   ready
SPI:   ready
DRAM:  Configuring DDR for 533.333 MT/s data rate
DDR: 256 MB
FLASH: 64 MB
L2:    256 KB enabled
MMC:  

    PCIE2 connected to Slot 1 as Root Complex (base addr ffe09000)
               Scanning PCI bus 01
        01  00  168c  0030  0280  ff
    PCIE2 on bus 00 - 01 

    PCIE1 connected to Slot 2 as Root Complex (base addr ffe0a000)
               Scanning PCI bus 03
        03  00  168c  0030  0280  ff
    PCIE1 on bus 02 - 03

In:    serial
Out:   serial
Err:   serial
Net:   eth0, eth1
current temperature is 39
Hit any key to stop autoboot:  0

HiveOS configuration

This looks quite similar to a Cisco IOS configuration. (Funny how that works.)


Power on the device (without a LAN attached) and watch it boot. If it manages to have an internet connection, it will phone home to the Aerohive mothership and will try to register itself. On the console, log in as admin with password aerohive. Welcome to Aerohive Product 

AH-998580 login: admin
Password:

Decline the offer of running the initial setup wizard.

HiveOS configuration is done in an imperative style from the main CLI. There is no separate configuration mode ala Cisco IOS. The command prompt is the access point's hostname followed by # for a privileged session. The default hostname is "AH- followed by 6 hex digits corresponding to the last 3 bytes of MAC address of the Eth0 interface.

Configuration item one -- do not phone home

AH-827b00# no capwap client enable

This will prevent the AP from registering the Aerohive cloud management system, "HiveManager"

Configuration item two -- other-than default credentials

AH-827b00# admin root-admin root password **********************

Where root is the new administrative user account name and the asterisks are echoed as the password is typed. Note that the Aerohive password strength requirements are stricter than average. (Yay!)

Configuration item three -- let the switch know who it's talking with

LLDP and CDP are both good things. 

AH-827b00#lldp 
AH-827b00#lldp cdp

Now, if you like, see who the AP's network neighbors are... 

AH-827b00#
AH-827b00#show lldp neighbor
LLDP neighbor table: Total number = 1
--------------------------------
Incoming Port: eth0
Chassis ID(mac address): 0022:67f4:2c00
Port ID(mac address): 0022:67f4:2c18
Hold time(seconds): 117
Port description: Port 24
System name: the-lower-nortel-switch
System description: Ethernet Routing Switch 5520-48T-PWR  HW:34       FW:6.0.0.21  SW:v6.3.6.017
System capabilities: bridge, router
Enables capabilities: bridge
Management address: 
	IP address: 10.10.0.253
	interface subtype:Unknown type, number:0
	Oid: 2b060104012d033b02
802.3 Power Via MDI: 
	MDI Power Support: 0x07
		Port Class: PSE
		PSE MDI power: supported
		PSE MDI power enabled: yes
		PSE pairs control ability: no
	PSE power pair: 1
        power class: 5
TIA - Media Capabilities:
	Capabilities: 0x2f
		LLDP-MED capabilities
		network policy
		location identification
		extended power via MDI - PSE
		Inventory
 	Device Type: Network Connectivity
Extended Power-via-MDI:
	power type: PSE device
	power source: primary
	power priority: low 
	power value: 160
hardware revision: 34      
firmware revision: 6.0.0.21 
software revision: v6.3.6.017
serial number: LBNNTMJPT4081R
manufacturer name: Avaya
model name: 5520-48T-PWR
AH-827b00#
AH-827b00#show lldp cdp neighbor
CDP neighbor table: Total number = 1

Incoming interface: eth0

Device-ID: thekitchenciscowap

Device addresses:
  Device addresses number: 1
  IP Address: 172.16.0.61

Holdtime: 142 sec

System Capabilities:  Transparent_Bridge ,IGMP

Version:Cisco IOS Software, C1250 Software (C1250-K9W7-M), Version 12.4(10b)JDA3, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Sun 07-Jun-09 03:50 by prod_rel_team

Platform: cisco AIR-AP1252AG-A-K9    

Port-ID (Port on Neighbor's Device): GigabitEthernet0

AH-827b00#

Configuration item four -- security objects

This is where we set security parameters on the wirele ss network SSIDs. And probably other things, too. But that is all we are doing for now... 

AH-827b00#security-object Guest-Network-SO-0
AH-827b00#security-object Guest-Network-SO-0 security protocol-suite open
AH-827b00#
Retrieved from "https://wiki.fnord.greeley.co.us/mediawiki/index.php?title=Hiveless&oldid=981"