diff --git a/README.md b/README.md index 0adc977..d330906 100644 --- a/README.md +++ b/README.md @@ -6,9 +6,9 @@ Just hacks and code snippets which might be useful to someone else. [Change the Country Code on country-locked Ruckus Access Points](https://ms264556.net/pages/RuckusCountryCodeChange) -[Push Let's Encrypt certificates to Ruckus Unleashed/ZoneDirector](pages/PfSenseLetsEncryptToRuckus.md) +[Push Let's Encrypt certificates to Ruckus Unleashed/ZoneDirector](https://ms264556.net/pages/PfSenseLetsEncryptToRuckus) -[Connect APs to ZoneDirector / Unleashed Dedicated Master over the Internet](pages/ZD1200OpenPfsensePorts.md) +[Connect APs to ZoneDirector / Unleashed Dedicated Master over the Internet](https://ms264556.net/pages/ZD1200OpenPfsensePorts) ## Font Hackery diff --git a/Scripts/create_unleashed_ecdsa_patch.sh b/Scripts/create_unleashed_ecdsa_patch.sh deleted file mode 100644 index 4fa2a84..0000000 --- a/Scripts/create_unleashed_ecdsa_patch.sh +++ /dev/null @@ -1,59 +0,0 @@ -#!/bin/bash - -function rks_encrypt { -RUCKUS_SRC="$1" RUCKUS_DEST="$2" python3 - <upgrade_tool.sh -exit 1 -END - -cat <upgrade_tool -cp -f /tmp/unleashed_upgrade/upgrade_tool.sh /tmp/unleashed_upgrade/upgrade_tool - -killall dropbear > /dev/null 2>&1 -rm -f /writable/data/dropbear/dropbear_rsa_key > /dev/null 2>&1 - -dropbearkey -t ecdsa -f /writable/data/dropbear/dropbear_rsa_key > /dev/null 2>&1 -dropbearkey -y -f /writable/data/dropbear/dropbear_rsa_key | sed -e'1 d' -e'3 d' > /writable/data/dropbear/dropbear_rsa_key.pub -dropbearkey -y -f /writable/data/dropbear/dropbear_rsa_key | sed -e'1,2 d' -e's/.* .* \(.*\)/\1/' > /writable/data/dropbear/dropbear_rsa_key.md5.fingerprint - -/usr/sbin/dropbear -e /var/run/-login -I 900 -p 22 -r /writable/data/dropbear/dropbear_rsa_key -j -k -A none - -echo Patched ECDSA -exit 1 -END -chmod +x upgrade_tool -chmod +x upgrade_tool.sh -cp upgrade_tool.sh upgrade_download_tool.sh - -rm -f unleashed.patch.tgz -tar czf unleashed.patch.tgz upgrade_tool upgrade_tool.sh upgrade_download_tool.sh -rks_encrypt unleashed.patch.tgz unleashed.ecdsa.patch.dbg -rm unleashed.patch.tgz upgrade_tool upgrade_tool.sh upgrade_download_tool.sh diff --git a/Scripts/create_unleashed_licenses_patch.sh b/Scripts/create_unleashed_licenses_patch.sh deleted file mode 100755 index 8c4fdf9..0000000 --- a/Scripts/create_unleashed_licenses_patch.sh +++ /dev/null @@ -1,57 +0,0 @@ -#!/bin/bash - -function rks_encrypt { -RUCKUS_SRC="$1" RUCKUS_DEST="$2" python3 - <upgrade_tool.sh -exit 1 -END - -cat <upgrade_tool -cp -f /tmp/unleashed_upgrade/upgrade_tool.sh /tmp/unleashed_upgrade/upgrade_tool - -rm /etc/airespider/license-list.xml -cat </etc/airespider/license-list.xml - - - -EOF - -echo Added URL Filtering License -exit 1 -END -chmod +x upgrade_tool -chmod +x upgrade_tool.sh -cp upgrade_tool.sh upgrade_download_tool.sh - -rm -f unleashed.patch.tgz -tar czf unleashed.patch.tgz upgrade_tool upgrade_tool.sh upgrade_download_tool.sh -rks_encrypt unleashed.patch.tgz unleashed.url_filtering_license.patch.dbg -rm unleashed.patch.tgz upgrade_tool upgrade_tool.sh upgrade_download_tool.sh diff --git a/Scripts/create_unleashed_root_patch.sh b/Scripts/create_unleashed_root_patch.sh deleted file mode 100644 index e04117c..0000000 --- a/Scripts/create_unleashed_root_patch.sh +++ /dev/null @@ -1,58 +0,0 @@ -#!/bin/bash - -function rks_encrypt { -RUCKUS_SRC="$1" RUCKUS_DEST="$2" python3 - <upgrade_tool.sh -exit 1 -END - -cat <upgrade_tool -cp -f /tmp/unleashed_upgrade/upgrade_tool.sh /tmp/unleashed_upgrade/upgrade_tool - -cat </writable/etc/scripts/.root.sh -#!/bin/sh -#RUCKUS# -/bin/stty echo -/bin/sh -EOF -chmod +x /writable/etc/scripts/.root.sh - -echo Patched Root Shell -exit 1 -END -chmod +x upgrade_tool -chmod +x upgrade_tool.sh -cp upgrade_tool.sh upgrade_download_tool.sh - -rm -f unleashed.patch.tgz -tar czf unleashed.patch.tgz upgrade_tool upgrade_tool.sh upgrade_download_tool.sh -rks_encrypt unleashed.patch.tgz unleashed.root.patch.dbg -rm unleashed.patch.tgz upgrade_tool upgrade_tool.sh upgrade_download_tool.sh diff --git a/Scripts/create_unleashed_rsa_patch.sh b/Scripts/create_unleashed_rsa_patch.sh deleted file mode 100644 index 478693a..0000000 --- a/Scripts/create_unleashed_rsa_patch.sh +++ /dev/null @@ -1,59 +0,0 @@ -#!/bin/bash - -function rks_encrypt { -RUCKUS_SRC="$1" RUCKUS_DEST="$2" python3 - <upgrade_tool.sh -exit 1 -END - -cat <upgrade_tool -cp -f /tmp/unleashed_upgrade/upgrade_tool.sh /tmp/unleashed_upgrade/upgrade_tool - -killall dropbear > /dev/null 2>&1 -rm -f /writable/data/dropbear/dropbear_rsa_key > /dev/null 2>&1 - -dropbearkey -t rsa -s 2048 -f /writable/data/dropbear/dropbear_rsa_key > /dev/null 2>&1 -dropbearkey -y -f /writable/data/dropbear/dropbear_rsa_key | sed -e'1 d' -e'3 d' > /writable/data/dropbear/dropbear_rsa_key.pub -dropbearkey -y -f /writable/data/dropbear/dropbear_rsa_key | sed -e'1,2 d' -e's/.* .* \(.*\)/\1/' > /writable/data/dropbear/dropbear_rsa_key.md5.fingerprint - -/usr/sbin/dropbear -e /var/run/-login -I 900 -p 22 -r /writable/data/dropbear/dropbear_rsa_key -j -k -A none - -echo Patched RSA -exit 1 -END -chmod +x upgrade_tool -chmod +x upgrade_tool.sh -cp upgrade_tool.sh upgrade_download_tool.sh - -rm -f unleashed.patch.tgz -tar czf unleashed.patch.tgz upgrade_tool upgrade_tool.sh upgrade_download_tool.sh -rks_encrypt unleashed.patch.tgz unleashed.restore_rsa.patch.dbg -rm unleashed.patch.tgz upgrade_tool upgrade_tool.sh upgrade_download_tool.sh diff --git a/Scripts/create_unleashed_unlock.sh b/Scripts/create_unleashed_unlock.sh deleted file mode 100644 index c0c12bc..0000000 --- a/Scripts/create_unleashed_unlock.sh +++ /dev/null @@ -1,55 +0,0 @@ -#!/bin/bash - -# Create an Unleashed Upgrade Preload Image which converts a locked US AP to an unlocked WW AP. - -function rks_encrypt { -RUCKUS_SRC="$1" RUCKUS_DEST="$2" python3 - <upgrade_tool.sh -exit 1 -END - -cat <upgrade_tool -cp -f /tmp/unleashed_upgrade/upgrade_tool.sh /tmp/unleashed_upgrade/upgrade_tool - -bsp set fixed_ctry_code 0 -bsp commit - -echo Unlocked Country Code -exit 1 -END -chmod +x upgrade_tool -chmod +x upgrade_tool.sh -cp upgrade_tool.sh upgrade_download_tool.sh - -rm -f unleashed.patch.tgz -tar czf unleashed.patch.tgz upgrade_tool upgrade_tool.sh upgrade_download_tool.sh -rks_encrypt unleashed.patch.tgz unleashed.unlock.dbg -rm unleashed.patch.tgz upgrade_tool upgrade_tool.sh upgrade_download_tool.sh diff --git a/Scripts/create_zd1000_licenses_patch.sh b/Scripts/create_zd1000_licenses_patch.sh deleted file mode 100755 index e504e05..0000000 --- a/Scripts/create_zd1000_licenses_patch.sh +++ /dev/null @@ -1,73 +0,0 @@ -#!/bin/bash - -# Create a ZoneDirector Upgrade Image which adds 50 AP Licenses and Upgrade Entitlement until August 2027. - -function rks_encrypt { -RUCKUS_SRC="$1" RUCKUS_DEST="$2" python3 - <metadata -PURPOSE=upgrade -VERSION=9.99.99.99 -BUILD=999 -REQUIRE_SIZE=1000 -REQUIRE_VERSIONS=2.0.0.0 2.0.1.0 2.0.1.1 3.0.0.0 3.0.1.0 3.0.2.0 3.0.3.0 3.0.4.0 3.0.5.0 6.0.0.0 6.0.0.1 6.0.0.2 6.0.1.0 6.0.1.1 6.0.2.0 6.0.2.1 6.0.3.0 6.0.3.1 6.0.4.0 7.0.0.0 7.0.1.0 7.0.2.0 7.1.0.0 7.3.0.0 8.0.0.0 8.0.0.1 8.0.1.0 8.0.2.0 8.1.1.0 8.2.0.0 8.2.2.0 8.4.0.0 9.0.0.0 9.1.0.0 9.1.0.3 9.1.1.0 9.1.2.0 9.2.0.0 9.3.0.0 9.3.1.0 9.3.2.0 9.3.4.0 -REQUIRE_PLATFORM=ar7100 -ABILITY=ZD5000 -END - -cat <all_files -* -END - -cat <upgrade_check.sh -#!/bin/sh - -mount -o remount,rw / - -cat </etc/airespider-images/license-list.xml - - -EOF - -bsp set model ZD1050 > /dev/null 2>&1 -bsp commit > /dev/null 2>&1 - -mount -o remount,ro / - -echo "Added AP Licenses.\n
" - -END - -chmod +x upgrade_check.sh -cp upgrade_check.sh ac_upg.sh -rm -f zd.patch.tgz -tar czf zd.patch.tgz metadata all_files upgrade_check.sh ac_upg.sh -rks_encrypt zd.patch.tgz zd1000.licenses.patch.img -rm all_files metadata upgrade_check.sh ac_upg.sh zd.patch.tgz diff --git a/Scripts/create_zd1100_licenses_patch.sh b/Scripts/create_zd1100_licenses_patch.sh deleted file mode 100755 index 6d158b4..0000000 --- a/Scripts/create_zd1100_licenses_patch.sh +++ /dev/null @@ -1,105 +0,0 @@ -#!/bin/bash - -# Create a ZoneDirector Upgrade Image which adds 50 AP Licenses and Upgrade Entitlement until August 2027. - -function rks_encrypt { -RUCKUS_SRC="$1" RUCKUS_DEST="$2" python3 - <metadata -PURPOSE=upgrade -VERSION=9.99.99.99 -BUILD=999 -REQUIRE_SIZE=1000 -REQUIRE_VERSIONS=9.1.0.0 9.1.1.0 9.1.2.0 9.3.0.0 9.3.1.0 9.3.2.0 9.3.4.0 9.4.0.0 9.4.2.0 9.4.3.0 9.5.1.0 9.5.2.0 9.5.3.0 9.6.0.0 9.6.1.0 9.6.2.0 9.7.0.0 9.7.1.0 9.7.2.0 9.8.0.0 9.8.1.0 9.8.2.0 9.8.3.0 9.9.0.0 9.9.1.0 9.10.0.0 9.10.1.0 9.10.2.0 -REQUIRE_PLATFORM=ar7161 -END - -cat <all_files -* -END - -cat <upgrade_check.sh -#!/bin/sh - -CUR_WRAP_MD5=\`md5sum /bin/sys_wrapper.sh | cut -d' ' -f1\` - -mount -o remount,rw / - -cd /etc/persistent-scripts -mkdir -p patch-storage -cd patch-storage - -if [ -f sys_wrapper.sh ] ; then - cat sys_wrapper.sh > /bin/sys_wrapper.sh -else - cat /bin/sys_wrapper.sh > sys_wrapper.sh -fi -cat <support - - - -EOF -sed 's//writable/etc/airespider/support-list.xml -rm -f support.spt -tar -czf support.spt support - -cat </etc/airespider-images/license-list.xml - - -EOF - -sed -i -e '/verify-upload-support)/a \\ - cd \/tmp\\ - cat \/etc\/persistent-scripts\/patch-storage\/support > support\\ - echo "OK"\\ - ;;\\ - verify-upload-support-unpatched)' -e '/wget-support-entitlement)/a \\ - cat \/etc\/persistent-scripts\/patch-storage\/support\.spt > "\/tmp\/\$1"\\ - echo "OK"\\ - ;;\\ - wget-support-entitlement-unpatched)' /bin/sys_wrapper.sh -NEW_WRAP_MD5=\`md5sum /bin/sys_wrapper.sh | cut -d' ' -f1\` -sed -i -e "s/\$CUR_WRAP_MD5/\$NEW_WRAP_MD5/" /file_list.txt - -bsp set model ZD1150 > /dev/null 2>&1 -bsp commit > /dev/null 2>&1 - -mount -o remount,ro / - -echo "Added Upgrade Entitlement.\n
" -echo "Added AP Licenses.\n
" - -END - -chmod +x upgrade_check.sh -rm -f zd.patch.tgz -tar czf zd.patch.tgz metadata all_files upgrade_check.sh -rks_encrypt zd.patch.tgz zd1100.licenses.patch.img -rm all_files metadata upgrade_check.sh zd.patch.tgz diff --git a/Scripts/create_zd1200_ecdsa_patch.sh b/Scripts/create_zd1200_ecdsa_patch.sh deleted file mode 100644 index 68ce6e1..0000000 --- a/Scripts/create_zd1200_ecdsa_patch.sh +++ /dev/null @@ -1,64 +0,0 @@ -#!/bin/bash - -# Create a ZoneDirector Upgrade Image which tells SSH server to use ECDSA rather than RSA. - -function rks_encrypt { -RUCKUS_SRC="$1" RUCKUS_DEST="$2" python3 - <metadata -PURPOSE=upgrade -VERSION=10.99.99.99 -BUILD=999 -REQUIRE_SIZE=1000 -REQUIRE_VERSIONS=9.9.0.0 9.10.0.0 9.10.1.0 9.10.2.0 9.12.0.0 9.12.1.0 9.12.2.0 9.12.3.0 9.13.0.0 9.13.1.0 9.13.2.0 9.13.3.0 10.0.0.0 10.1.0.0 10.1.1.0 10.1.2.0 10.2.0.0 10.2.1.0 10.3.0.0 10.3.1.0 10.4.0.0 10.4.1.0 10.5.0 -REQUIRE_PLATFORM=nar5520 -REQUIRE_SUBPLATFORM=cob7402 -END - -cat <all_files -* -END - -cat <upgrade_check.sh -#!/bin/sh - -killall dropbear > /dev/null 2>&1 -rm -f /etc/airespider/dropbear/dropbear_host_rsa_key > /dev/null 2>&1 -dropbearkey -t ecdsa -f /etc/airespider/dropbear/dropbear_host_rsa_key > /dev/null 2>&1 -/etc/init.d/dropbear > /dev/null 2>&1 - -echo "SSH is now using ECDSA.\n
" -END - -chmod +x upgrade_check.sh -rm -f zd.patch.tgz -tar czf zd.patch.tgz metadata all_files upgrade_check.sh -rks_encrypt zd.patch.tgz zd1200.ecdsa.patch.img -rm all_files metadata upgrade_check.sh zd.patch.tgz diff --git a/Scripts/create_zd1200_licenses_patch.sh b/Scripts/create_zd1200_licenses_patch.sh deleted file mode 100755 index 09444b0..0000000 --- a/Scripts/create_zd1200_licenses_patch.sh +++ /dev/null @@ -1,108 +0,0 @@ -#!/bin/bash - -# Create a ZoneDirector Upgrade Image which adds 150 AP Licenses and Upgrade Entitlement until August 2027. - -function rks_encrypt { -RUCKUS_SRC="$1" RUCKUS_DEST="$2" python3 - <metadata -PURPOSE=upgrade -VERSION=10.99.99.99 -BUILD=999 -REQUIRE_SIZE=1000 -REQUIRE_VERSIONS=9.9.0.0 9.10.0.0 9.10.1.0 9.10.2.0 9.12.0.0 9.12.1.0 9.12.2.0 9.12.3.0 9.13.0.0 9.13.1.0 9.13.2.0 9.13.3.0 10.0.0.0 10.1.0.0 10.1.1.0 10.1.2.0 10.2.0.0 10.2.1.0 10.3.0.0 10.3.1.0 10.4.0.0 10.4.1.0 10.5.0 -REQUIRE_PLATFORM=nar5520 -REQUIRE_SUBPLATFORM=cob7402 -END - -cat <all_files -* -END - -cat <upgrade_check.sh -#!/bin/sh - -CUR_WRAP_MD5=\`md5sum /bin/sys_wrapper.sh | cut -d' ' -f1\` - -mount -o remount,rw / - -cd /etc/persistent-scripts - -mkdir -p patch-storage -cd patch-storage - -if [ -f sys_wrapper.sh ] ; then - cat sys_wrapper.sh > /bin/sys_wrapper.sh -else - cat /bin/sys_wrapper.sh > sys_wrapper.sh -fi -cat <support - - - -EOF -sed 's//writable/etc/airespider/support-list.xml -rm -f support.spt -tar -czf support.spt support - -cat </tmp/airespider-license-list-new.xml - - - - -EOF -cat /tmp/airespider-license-list-new.xml > /etc/airespider-images/license-list.xml -cat /tmp/airespider-license-list-new.xml > /etc/airespider/license-list.xml -cat /tmp/airespider-license-list-new.xml > /etc/airespider/license-list.bak.xml - -sed -i -e '/verify-upload-support)/a \\ - cd \/tmp\\ - cat \/etc\/persistent-scripts\/patch-storage\/support > support\\ - echo "OK"\\ - ;;\\ - verify-upload-support-unpatched)' -e '/wget-support-entitlement)/a \\ - cat \/etc\/persistent-scripts\/patch-storage\/support\.spt > "\/tmp\/\$1"\\ - echo "OK"\\ - ;;\\ - wget-support-entitlement-unpatched)' /bin/sys_wrapper.sh -NEW_WRAP_MD5=\`md5sum /bin/sys_wrapper.sh | cut -d' ' -f1\` -sed -i -e "s/\$CUR_WRAP_MD5/\$NEW_WRAP_MD5/" /file_list.txt - -mount -o remount,ro / - -echo "Added Upgrade Entitlement.\n
" -echo "Added AP Licenses.\n
" -END - -chmod +x upgrade_check.sh -rm -f zd.patch.tgz -tar czf zd.patch.tgz metadata all_files upgrade_check.sh -rks_encrypt zd.patch.tgz zd1200.licenses.patch.img -rm all_files metadata upgrade_check.sh zd.patch.tgz diff --git a/Scripts/create_zd1200_root_patch.sh b/Scripts/create_zd1200_root_patch.sh deleted file mode 100755 index 4502bdd..0000000 --- a/Scripts/create_zd1200_root_patch.sh +++ /dev/null @@ -1,83 +0,0 @@ -#!/bin/bash - -function rks_encrypt { -RUCKUS_SRC="$1" RUCKUS_DEST="$2" python3 - <metadata -PURPOSE=upgrade -VERSION=10.99.99.99 -BUILD=999 -REQUIRE_SIZE=1000 -REQUIRE_VERSIONS=9.9.0.0 9.10.0.0 9.10.1.0 9.10.2.0 9.12.0.0 9.12.1.0 9.12.2.0 9.12.3.0 9.13.0.0 9.13.1.0 9.13.2.0 9.13.3.0 10.0.0.0 10.1.0.0 10.1.1.0 10.1.2.0 10.2.0.0 10.2.1.0 10.3.0.0 10.3.1.0 10.4.0.0 10.4.1.0 10.5.0 -REQUIRE_PLATFORM=nar5520 -REQUIRE_SUBPLATFORM=cob7402 -END - -cat <all_files -* -END - -cat <upgrade_check.sh -#!/bin/sh - -support_status=\`cfg support-list.status | cut -d" " -f 2\` -if [ ! "\$support_status" -eq "1" ] ; then -cat </writable/etc/airespider/support-list.xml - - - -EOF -echo "Added Upgrade Entitlement.\n
" -fi - -mount -o remount,rw / - -cd /etc/persistent-scripts - -cat <.root.sh -#!/bin/sh -#RUCKUS# -/bin/stty echo -/bin/sh -EOF -chmod +x .root.sh -rm -f /writable/etc/scripts/.root.sh -ln -s -f /etc/persistent-scripts/.root.sh /writable/etc/scripts/.root.sh - -mount -o remount,ro / - -echo "Root shell activated.\nAccessing the root shell from the CLI:-\n
ruckus> enable\nruckus# debug\nYou have all rights in this mode.\nruckus(debug)# script\nruckus(script)# exec .root.sh\n\nRuckus Wireless ZoneDirector -- Command Line Interface\nEnter 'help' for a list of built-in commands.\n\nruckus\$
" -END - -chmod +x upgrade_check.sh -rm -f zd.patch.tar zd.patch.tar.gz -tar czf zd.patch.tgz metadata all_files upgrade_check.sh -rks_encrypt zd.patch.tgz zd1200.rootshell.patch.img -rm all_files metadata upgrade_check.sh zd.patch.tgz diff --git a/Scripts/create_zd1200_rsa_patch.sh b/Scripts/create_zd1200_rsa_patch.sh deleted file mode 100644 index f49bc93..0000000 --- a/Scripts/create_zd1200_rsa_patch.sh +++ /dev/null @@ -1,64 +0,0 @@ -#!/bin/bash - -# Create a ZoneDirector Upgrade Image which tells SSH server to use RSA rather than EDSA. - -function rks_encrypt { -RUCKUS_SRC="$1" RUCKUS_DEST="$2" python3 - <metadata -PURPOSE=upgrade -VERSION=10.99.99.99 -BUILD=999 -REQUIRE_SIZE=1000 -REQUIRE_VERSIONS=9.9.0.0 9.10.0.0 9.10.1.0 9.10.2.0 9.12.0.0 9.12.1.0 9.12.2.0 9.12.3.0 9.13.0.0 9.13.1.0 9.13.2.0 9.13.3.0 10.0.0.0 10.1.0.0 10.1.1.0 10.1.2.0 10.2.0.0 10.2.1.0 10.3.0.0 10.3.1.0 10.4.0.0 10.4.1.0 10.5.0 -REQUIRE_PLATFORM=nar5520 -REQUIRE_SUBPLATFORM=cob7402 -END - -cat <all_files -* -END - -cat <upgrade_check.sh -#!/bin/sh - -killall dropbear > /dev/null 2>&1 -rm -f /etc/airespider/dropbear/dropbear_host_rsa_key > /dev/null 2>&1 -dropbearkey -t rsa -f /etc/airespider/dropbear/dropbear_host_rsa_key > /dev/null 2>&1 -/etc/init.d/dropbear > /dev/null 2>&1 - -echo "SSH is now using RSA.\n
" -END - -chmod +x upgrade_check.sh -rm -f zd.patch.tgz -tar czf zd.patch.tgz metadata all_files upgrade_check.sh -rks_encrypt zd.patch.tgz zd1200.restore_rsa.patch.img -rm all_files metadata upgrade_check.sh zd.patch.tgz diff --git a/Scripts/create_zd3000_licenses_patch.sh b/Scripts/create_zd3000_licenses_patch.sh deleted file mode 100755 index 9f091b1..0000000 --- a/Scripts/create_zd3000_licenses_patch.sh +++ /dev/null @@ -1,111 +0,0 @@ -#!/bin/bash - -# Create a ZoneDirector Upgrade Image which adds 150 AP Licenses and Upgrade Entitlement until August 2027. - -function rks_encrypt { -RUCKUS_SRC="$1" RUCKUS_DEST="$2" python3 - <metadata -PURPOSE=upgrade -VERSION=10.99.99.99 -BUILD=999 -REQUIRE_SIZE=1000 -REQUIRE_VERSIONS=9.1.0.0 9.1.1.0 9.1.2.0 9.3.0.0 9.3.1.0 9.3.2.0 9.3.4.0 9.4.0.0 9.4.2.0 9.4.3.0 9.5.1.0 9.5.2.0 9.5.3.0 9.6.0.0 9.6.1.0 9.6.2.0 9.7.0.0 9.7.1.0 9.7.2.0 9.8.0.0 9.8.1.0 9.8.2.0 9.8.3.0 9.9.0.0 9.10.0.0 9.10.1.0 9.10.2.0 9.12.0.0 9.12.1.0 9.12.2.0 9.12.3.0 9.13.0.0 9.13.1.0 9.13.2.0 9.13.3.0 10.0.0.0 10.1.0.0 10.1.1.0 10.1.2.0 10.2.0.0 10.2.1.0 -REQUIRE_PLATFORM=nar5520 -REQUIRE_SUBPLATFORM=nar5520 -END - -cat <all_files -* -END - -cat <upgrade_check.sh -#!/bin/sh - -CUR_WRAP_MD5=\`md5sum /bin/sys_wrapper.sh | cut -d' ' -f1\` - -mount -o remount,rw / - -cd /etc/persistent-scripts - -mkdir -p patch-storage -cd patch-storage - -if [ -f sys_wrapper.sh ] ; then - cat sys_wrapper.sh > /bin/sys_wrapper.sh -else - cat /bin/sys_wrapper.sh > sys_wrapper.sh -fi -cat <support - - - -EOF -sed 's//writable/etc/airespider/support-list.xml -rm -f support.spt -tar -czf support.spt support - -cat </tmp/airespider-license-list-new.xml - - - - -EOF -cat /tmp/airespider-license-list-new.xml > /etc/airespider-images/license-list.xml -cat /tmp/airespider-license-list-new.xml > /etc/airespider/license-list.xml -cat /tmp/airespider-license-list-new.xml > /etc/airespider/license-list.bak.xml - -sed -i -e '/verify-upload-support)/a \\ - cd \/tmp\\ - cat \/etc\/persistent-scripts\/patch-storage\/support > support\\ - echo "OK"\\ - ;;\\ - verify-upload-support-unpatched)' -e '/wget-support-entitlement)/a \\ - cat \/etc\/persistent-scripts\/patch-storage\/support\.spt > "\/tmp\/\$1"\\ - echo "OK"\\ - ;;\\ - wget-support-entitlement-unpatched)' /bin/sys_wrapper.sh -NEW_WRAP_MD5=\`md5sum /bin/sys_wrapper.sh | cut -d' ' -f1\` -sed -i -e "s/\$CUR_WRAP_MD5/\$NEW_WRAP_MD5/" /file_list.txt - -bsp set model ZD3050 > /dev/null 2>&1 -bsp commit > /dev/null 2>&1 - -mount -o remount,ro / - -echo "Added Upgrade Entitlement.\n
" -echo "Added AP Licenses.\n
" -END - -chmod +x upgrade_check.sh -rm -f zd.patch.tgz -tar czf zd.patch.tgz metadata all_files upgrade_check.sh -rks_encrypt zd.patch.tgz zd3000.licenses.patch.img -rm all_files metadata upgrade_check.sh zd.patch.tgz diff --git a/pages/PfSenseLetsEncryptToRuckus.md b/pages/PfSenseLetsEncryptToRuckus.md index 21b7982..784ff86 100644 --- a/pages/PfSenseLetsEncryptToRuckus.md +++ b/pages/PfSenseLetsEncryptToRuckus.md @@ -1,85 +1,3 @@ # Push TLS Certificates to Ruckus ZoneDirector / Unleashed -There's no official API for pushing certificates to Ruckus ZoneDirector or Ruckus Unleashed. -This is a pain. Free TLS certificates issued by [Let's Encrypt](https://letsencrypt.org) are only good for 90 days, so automation is key. - -You can use the shell script, below, to push certificates to Ruckus Unleashed or ZoneDirector. -The script has been tested on Linux (Ubuntu) & FreeBSD (pfSense). - -The script takes 3 arguments: - 1) The path to your certificate/fullchain file. - (for ACME, this is the _cert_name_.crt file, or the _cert_name_.fullchain file). - - 2) The path to your private key file. - (for ACME, this is the _cert_name_.key file). - - 3) The FQDN of your ZoneDirector or Unleashed Master AP. - This is very important, espcially if you use a wildcard certificate: when you visit your ZoneDirector/Unleashed web UI you will be redirected to `https://FQDN/` - -> You need to edit the script to replace `ZD_USERNAME` and `ZD_PASSWORD` with your own ZoneDirector/Unleashed admin username and password. - -> The script expects to be able to find your ZoneDirector/Unleashed at the specified fully qualified domain name. So make sure you have already setup split DNS, if necessary. - -```sh -ZD_USERNAME='myruckususername' -ZD_PASSWORD='myruckuspassword' - -ZD_CERTIFICATE=$1 -ZD_KEY=$2 -ZD_FQDN=$3 - -ZD_COOKIE=$(mktemp) - -ZD_LOGIN_URL="$(curl https://$ZD_FQDN -k -s -L -I -o /dev/null -w '%{url_effective}')" -LOGIN_ARGS="-k -c $ZD_COOKIE" -ZD_XSS="$(curl $LOGIN_ARGS $ZD_LOGIN_URL -d username=$ZD_USERNAME -d password=$ZD_PASSWORD -d ok=Log\ In -i | awk '/^HTTP_X_CSRF_TOKEN:/ { print $2 }' | tr -d '\040\011\012\015')" - -ZD_BASE_URL="$(dirname $ZD_LOGIN_URL)" -CONF_ARGS="-i -k -b $ZD_COOKIE -c $ZD_COOKIE" -ZD_UPLOAD="$CONF_ARGS $ZD_BASE_URL/_upload.jsp?request_type=xhr" -ZD_CMD="$CONF_ARGS $ZD_BASE_URL/_cmdstat.jsp" - -REPLACE_CERT_AJAX="" -CERT_REBOOT_AJAX="" - -curl $ZD_UPLOAD -H "X-CSRF-Token: $ZD_XSS" -F "u=@$ZD_CERTIFICATE" -F action=uploadcert -F callback=uploader_uploadcert -curl $ZD_UPLOAD -H "X-CSRF-Token: $ZD_XSS" -F "u=@$ZD_KEY" -F action=uploadprivatekey -F callback=uploader_uploadprivatekey -curl $ZD_CMD -H "X-CSRF-Token: $ZD_XSS" --data-raw "$REPLACE_CERT_AJAX" -curl $ZD_CMD -H "X-CSRF-Token: $ZD_XSS" --data-raw "$CERT_REBOOT_AJAX" - -rm $ZD_COOKIE -``` - -## Example: Automatically push Let's Encrypt Certificate from pfSense to Unleashed or ZoneDirector - -If you've got the Acme service setup in pfSense then you can push Let's Encrypt certificates onto your ZoneDirector/Unleashed whenever they come in. -This will reboot the target ZoneDirector/Unleashed, but the Acme service runs at 3:16am so probably no big issue. -> Be aware that older Unleashed APs (e.g. R500 or R600) may take 10 minutes to reboot completely. - -### Create the Script - -* Use `Diagnostics` / `Edit File` to create a new file `/usr/local/bin/export_zd_cert.sh`, containing the above script. - -### Make the Script Executable - -* Use `Diagnostics` / `Command Prompt` to execute `chmod +x /usr/local/bin/export_zd_cert.sh`. - -### Ask the Acme Service to run the script after renewing your certificate - -* In `Services` / `Acme Certificates` / `General settings`, make sure the `Write Certificates` box is ticked. - -* In `Services` / `Acme Certificates` / `Certificates`, edit the certificate you want to use on your Ruckus ZoneDirector/Unleashed. - -* Add a `Shell Command` to the `Actions List`: - `/usr/local/bin/export_zd_cert.sh /conf/acme/name.of.this.certificate.fullchain /conf/acme/name.of.this.certificate.key zdhost.your.domain.name` . - - > `zdhost.your.domain.name` is whatever fully qualified hostname you're using for your ZoneDirector/Unleashed, and `name.of.this.certificate` is what you entered in the `Name` box for this certificate. - -* Ensure that the `Private Key` setting for your certificate is RSA (ECDSA TLS certificates are unsupported on Unleashed and ZoneDirector). - -### (Optionally) Add a DNS Host Override - -The script expects to be able to find your ZoneDirector/Unleashed at the specified fully qualified domain name. - -If your `Domain` in `System` / `General Setup` is different from the the domain in your certificate (e.g. your certitificate is for `*.your.domain.name` but your pfSense domain is `localdomain`), then you might need pfSense to return an internal IP for `zdhost.your.domain.name`. -* Go to `Services` / `DNS Resolver`, and `Add` a `Host Override`. +This content has [moved](https://ms264556.net/pages/PfSenseLetsEncryptToRuckus). \ No newline at end of file diff --git a/pages/StandaloneApRootShell.md b/pages/StandaloneApRootShell.md index 1ccc509..99baa7f 100644 --- a/pages/StandaloneApRootShell.md +++ b/pages/StandaloneApRootShell.md @@ -1,99 +1,3 @@ # Obtaining a root shell on Standalone/Solo Ruckus APs -The Ruckus CLI includes a hidden `!v54!` command which exits to a root shell. - -* Very old AP firmware checks a configuration setting `cli_esc2shell_ok` to decide whether the `!v54!` command is available. -* Newer AP firmware checks an encrypted serial# to decide whether the `!v54!` command is available. -The encrypted serial# is saved to a file using the `Ruckus` command, then the `!v54!` command uses `sesame` to decrypt this file. - -## Firmware >112.0 - -Sorry, I don't have a method to bypass the serial# check on newer Standalone/Solo AP firmwares. - -If your AP was released before mid-2019 then you can downgrade to an older Solo firmware. - -## Firmware 9.8 - 112.0 (excl. 110.0.0.0.2005) - -These AP firmware versions [don't sanitize the encrypted serial#](https://alephsecurity.com/vulns/aleph-2019014#proof-of-concept). -So we can use the `Ruckus` command to inject a root shell. -> Note that the injection only needs to be performed once. - -### SSH to the AP - -```console -$ ssh 192.168.0.1 -oKexAlgorithms=+diffie-hellman-group1-sha1 -oHostKeyAlgorithms=+ssh-rsa -oCiphers=+aes256-cbc -``` - -Login. Default username is "super", password is "sp-admin". - -### Command injection - -```console -rkscli: Ruckus -``` - -Now type `";/bin/sh;"` and hit enter *(you won't be able to see what you're typing)* - -```console -grrrr -``` - -> Instead of `grrrr`, any other random dog noise could be printed to the screen. - -### Escape to shell - -```console -rkscli: !v54! -What's your chow: -``` - -Now hit enter - -```console -BusyBox v1.15.2 (2015-07-21 22:07:19 PDT) built-in shell (ash) -Enter 'help' for a list of built-in commands. - -# -``` - -You have a root shell. - -## Firmware Pre-9.8 - -These AP firmware versions [don't sanitize the input to the Ping diagnostic tool](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6230). -So we can use `Ping` to enable `cli_esc2shell_ok`. -> Note that the `Ping` enablement only needs to be performed once. - -### Connect to the AP's Web UI - -Login. Default username is "super", password is "sp-admin". - -### Enable shell escape - -Go to `Administration` > `Diagnostics`, paste `|rpm${IFS}-p${IFS}cli_esc2shell_ok="t"` into the `Ping:` textbox & hit `Run test`. - -### SSH to the AP - -```console -$ ssh 192.168.0.1 -oKexAlgorithms=+diffie-hellman-group1-sha1 -oHostKeyAlgorithms=+ssh-rsa -oCiphers=+aes256-cbc -``` - -Login. Default username is "super", password is "sp-admin". - -### Escape to shell - -```console -rkscli: !v54! -What's your chow: -``` - -Now hit enter - -```console -BusyBox v1.15.2 (2015-07-21 22:07:19 PDT) built-in shell (ash) -Enter 'help' for a list of built-in commands. - -# -``` - -You have a root shell. +This content has [moved](https://ms264556.net/pages/StandaloneApRootShell). \ No newline at end of file diff --git a/pages/ZD1000UpgradeFromV3.md b/pages/ZD1000UpgradeFromV3.md index d53180f..addee1b 100644 --- a/pages/ZD1000UpgradeFromV3.md +++ b/pages/ZD1000UpgradeFromV3.md @@ -1,19 +1,3 @@ # Upgrade a ZoneDirector running software version 3.0 -The 3.0 ZoneDirector CLI has no method to perform a firmware upgrade, and the web UI upgrade functionality fails on all browsers I tried (because of TLS and XSS errors). - -If you setup a TFTP server then you can use this to upgrade the ZoneDirector via a root shell:- - -```console -ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -oHostKeyAlgorithms=+ssh-rsa -oCiphers=+aes256-cbc 192.168.0.2 - -!v54! - -cd /tmp -tftp -g -l upgrade_file -r zd_6.0.3.0.19.ap_6.0.3.0.21.img 192.168.0.22 -/bin/sys_wrapper.sh verify-upgrade upgrade_file -mkdir upg -cd upg -cat ../upgrade_file.decrypted | gunzip | tar x -./ac_upg.sh -``` +This content has [moved](https://ms264556.net/pages/ZD1000UpgradeFromV3). \ No newline at end of file diff --git a/pages/ZD1200OpenPfsensePorts.md b/pages/ZD1200OpenPfsensePorts.md index 6379690..1088204 100644 --- a/pages/ZD1200OpenPfsensePorts.md +++ b/pages/ZD1200OpenPfsensePorts.md @@ -1,179 +1,3 @@ # Connect APs to ZoneDirector / Unleashed over the public Internet -You can use ZoneDirector or Unleashed Dedicated Master to manage APs at remote internet-connected locations, and tunnel selected traffic back to your network. - -Your ZoneDirector or Dedicated Master can be behind a NAT router, but this router requires a static WAN IP address. -Your APs can be behind NAT or double-NAT (e.g. if your ISP uses CGNAT). - -This guide configures NAT routing on pfSense. You will need to adapt the steps to suit other firewalls. - -# ZoneDirector - -You should enable Secure AP Provisioning (which is the default for ZoneDirector 10.5.1). - -You need to NAT incoming UDP 12222,12223 & TCP 443,11443 WAN traffic to your ZoneDirector. -And you need to configure your APs with the public IP address of your ZoneDirector. - -A complication is that the ZoneDirector Management Interface also uses port 443, and we don't want to expose this to the internet. -And you might already be serving an unrelated website on port 443. -We can address these problems by installing HAProxy on pfSense (if you haven't already), and only passing HTTPS traffic if it matches the specific URL which ZoneDirector AP provisioning requires. - -## pfSense configuration steps - -### Add Port Aliases - -```Firewall``` > ```Aliases``` > ```Ports``` > ```Add``` -* Properties > Name: ```ZoneDirectorUdp``` -* Port(s) > Port: ```12222:12223``` -* ```Save``` - -```Firewall``` > ```Aliases``` > ```Ports``` > ```Add``` -* Properties > Name: ```ZoneDirectorTcp``` -* Port(s) > Port: ```11443``` -* ```Save``` - -```Apply Changes``` - -### Add NAT Port Forwards - -```Firewall``` > ```NAT``` > ```Port Forward``` > ```Add``` _(the down arrow)_ -* Edit Redirect Entry > Protocol: ```UDP``` -* Edit Redirect Entry > Destination port range > Custom: ```ZoneDirectorUdp``` -> _If you can apply a Source rule (e.g. an ISP's IP range) then do so_ -* Edit Redirect Entry > Redirect target IP > Address: `````` -* Edit Redirect Entry > Redirect target port > Custom: ```ZoneDirectorUdp``` -* ```Save``` - -```Firewall``` > ```NAT``` > ```Port Forward``` > ```Add``` _(the down arrow)_ -* Edit Redirect Entry > Destination port range > Custom: ```ZoneDirectorTcp``` -> _If you can apply a Source rule (e.g. an ISP's IP range) then do so_ -* Edit Redirect Entry > Redirect target IP > Address: `````` -* Edit Redirect Entry > Redirect target port > Custom: ```ZoneDirectorTcp``` -* ```Save``` - -```Apply Changes``` - -### Add CA and Certificate for HAProxy Frontend - -```System``` > ```Cert. Manager``` > ```CAs``` > ```Add``` -* Create / Edit CA > Descriptive name: ```internal-ca``` - -```System``` > ```Cert. Manager``` > ```Certificates``` > ```Add/Sign``` -* Add Sign a New Certificate > Descriptive name: `````` -* Internal Certificate > Certificate authority: ```internal-ca``` -* Internal Certificate > Common name: `````` -* Certificate Attributes > Certificate Type: ```Server Certificate``` -* ```Save``` - -### Install HAProxy - -```System``` > ```Package Manager``` > ```Available Packages``` > ```haproxy-devel``` > ```Install``` > ```Confirm``` - -### Create HAProxy Backend - -```Services``` > ```HAProxy``` > ```Backend``` > ```Add``` -* Edit HAProxy Backend server pool > Name: ```ZoneDirector``` -* Edit HAProxy Backend server pool > Server list > ```add another entry``` _(the down arrow)_ - * Name: ```ZDAPConfig``` - * Address: `````` - * Port: ```443``` - * Encrypt: ```tick``` -* Health checking > Health check method > ```none``` -* ```Save``` - -```Apply Changes``` - -### Create HAProxy Frontend - -```Services``` > ```HAProxy``` > ```Frontend``` > ```Add``` -* Edit HAProxy Frontend > Name: ```ZoneDirector``` -* External adress > Port: ```443``` -* External adress > SSL Offloading: ```tick``` -* Default backend, access control lists and actions > Access Control lists > ```add another entry``` _(the down arrow)_ - * Name: ```ZDHost``` - * Expression: ```Host matches:``` - * Value: `````` -* Default backend, access control lists and actions > Access Control lists > ```add another entry``` _(the down arrow)_ - * Name: ```ZDFirmwarePath``` - * Expression: ```Path starts with:``` - * Value: ```/firmwares/avpport``` -* Default backend, access control lists and actions > Actions > ```add another entry``` _(the down arrow)_ - * Condition acl names: ```ZDHost ZDFirmwarePath``` - * backend: ```ZoneDirector``` -* SSL Offloading > Certificate > ``` (CA: internal-ca) [Server cer]``` -* SSL Offloading > Certificate > Add ACL for certificate CommonName. (host header matches the "CN" of the certificate): ```tick``` -* ```Save``` - -```Apply Changes``` - -### Enable HAProxy - -```Services``` > ```HAProxy``` > ```Settings``` -* General settings > Enable HAProxy: ```tick``` -* General settings > Maximum connections: ```5``` _(any number here, the # of APs is a safe bet)_ -* ```Save``` - -```Apply Changes``` _(ignore the warnings)_ - -### Add Firewall Rule so HAProxy receives traffic - -```Firewall``` > ```Rules``` > ```WAN``` > ```Add``` _(the down arrow)_ -* Destination > Destination > ```This firewall (self)``` -* Destination > Destination Port Range > From: ```HTTPS (443)``` -> _If you can apply a Source rule (e.g. an ISP's IP range) then do so_ -* ```Save``` - -```Apply Changes``` - -# Unleashed Dedicated Master - -You need to NAT incoming UDP 12222,12223 & TCP 60000 WAN traffic to your Unleashed Dedicated Master. -And you need to configure your APs with the public IP address of your Unleashed Dedicated Master. - -## pfSense configuration steps - -### Add Port Aliases - -```Firewall``` > ```Aliases``` > ```Ports``` > ```Add``` -* Properties > Name: ```ZoneDirectorUdp``` -* Port(s) > Port: ```12222:12223``` -* ```Save``` - -```Firewall``` > ```Aliases``` > ```Ports``` > ```Add``` -* Properties > Name: ```ZoneDirectorTcp``` -* Port(s) > Port: ```60000``` -* ```Save``` - -```Apply Changes``` - -### Add NAT Port Forwards - -```Firewall``` > ```NAT``` > ```Port Forward``` > ```Add``` _(the down arrow)_ -* Edit Redirect Entry > Protocol: ```UDP``` -* Edit Redirect Entry > Destination port range > Custom: ```ZoneDirectorUdp``` -> _If you can apply a Source rule (e.g. an ISP's IP range) then do so_ -* Edit Redirect Entry > Redirect target IP > Address: `````` -* Edit Redirect Entry > Redirect target port > Custom: ```ZoneDirectorUdp``` -* ```Save``` - -```Firewall``` > ```NAT``` > ```Port Forward``` > ```Add``` _(the down arrow)_ -* Edit Redirect Entry > Destination port range > Custom: ```ZoneDirectorTcp``` -> _If you can apply a Source rule (e.g. an ISP's IP range) then do so_ -* Edit Redirect Entry > Redirect target IP > Address: `````` -* Edit Redirect Entry > Redirect target port > Custom: ```ZoneDirectorTcp``` -* ```Save``` - - - -```Apply Changes``` - - -# AP configuration steps - -* Install the latest Solo software image on your AP -* SSH into the AP's CLI and configure the ZoneDirector's static external IP address:- - ``` - set director ip - reboot - ``` - +This content has [moved](https://ms264556.net/pages/ZD1200OpenPfsensePorts). \ No newline at end of file