Hi, i have bought second hand hAP ac2 router. i have discovered, that the device is limited to webfig interface with a user account without admin access. hard reset procedure doesnt work and even the netinstall doestn work, i guess it has been disabled. is there a way to hard reset this thing when i open it so i could flash it with regular firmware?
Please contact the seller, if they sold you a locked device, you can’t “unlock” it. It might be stolen or hacked. I suggest getting your money back.
it was not stolen or hacked, previously it was sold by an telecom operator in Slovakia as a regular AP. the whole thing is completely legal. what happened, they customized heavily the device so regular customers would not mess around it and the telecom operator would not have to provide support for it. but now the whole thing is over, regular customers are in large selling the devices second hand and i bought one like really cheap. if i would not want to customize it for my network, it would be fully operable as a basic wifi AP, but i want the additional features (like turn the DHPC off :)). i contacted the operator but as expected, they said, they dont care. so my question remains, is there a way to completely erase this device if i have full access to it? like some jumper on the board or something. i dont mind the risk of bricking the device as it has cost me maybe 20 euros, if it works i will be happy, if it doesnt work, i can live with it.
It depends on how it is protected.
If only a password is set, simple reset procedure will clear it.
If protected mode is enabled, you can’t reset it. You must return to seller.
i guess the protected mode is enabled as the regular procedure doesnt work.
Protected mode disables reset and netinstall modes, unless you know a special procedure for the reset button. You would have to hold the button, for example, for 25 seconds, then it unlocks. If you don’t know this setting, there is nothing you can do.
ok, i have read about the reformat-hold-button a reformat-hold-button-max properties, which are probably set, and which i dont know. i was just wondering, if there is some possible hardware option to do reset. i could even try to unsolder something from the board if that would help, as i said i dont mind the risk of destroing the board in the procces, it is just not usefull for me in current stage.
The idea is to protect device against stealing. If somebody steals it, there is no way to get inside and get your passwords and config, also making the device useless to steal (because it is unusable).
So there is no workaround. It can’t be used, if you don’t know the reformat time setting
that is a pretty stupid idea, it the device is completly reset, than there is no way someone can get the credentials, so complete reset should be allowed in any circumstances.
Please don’t buy devices from unknown sellers, without checking the condition of the device first
And if they sold it to you, they didn’t give you the passwords ???
If it’s true that they sold it to you, maybe you stole it and are pretending you bought it.
This is a GREAT idea because if someone steal the device, has to fatigue to reuse it…
Configuration or not.
As reformat-hold-button is 5s to 300s and it’s an integer, you need up to 296 attempts increasing the time by one second on each attempt. Power on/off and pressing the button could be automated with an Arduino or something, it would take about 13 hours to try all possible button hold times in increasing order. Or is there some self-destruct feature after too many attempts?
hAP ac^2 have surely recent RouterBOOT version, greather than 6.43.7.
From 6.43.7 is till 600 seconds and you must wait 5 minutes before can be appear on netinstall (for full internal flash format).
If you do not wait, you do not know if you have guess the time, ignoring the delay from 5 to 600, there are 595 possible values * 5 min = 123Hours (ignoring the button press time)
adding also that we go to necessary like 140 hours to do all possible combination (near 5 days), and all the time you must be on front of pc for see if the device appear on netinstall…
On format flash from “BIOS”, you also lose the licence.
“Easiest” way is to desolder the SPI flash, change the bytes that in bootloader configuration block that lock the device and solder it back.
At least it’s just SPI chip that’s not that hard to work with and can be programmed with cheap CH341A programmer (just make sure if you buy one off ebay to fix it so it’s 3.3V, as default is 5V and that WILL fry your SPI memory!). To know what bytes needs to be changing, it’s best to have another hAP and compare memory contents without bootloader lock active and with it locked.
Actually if it’s running older ROS you can just dump the SPI memory to recover the admin password, log in, disable the protected routerboot and you are done.
This is the SPI flash memory chip:
It may also be possible to connect to it using SPI header pins on the right, but main CPU must not access it at the same time (would have to hold it in reset or something… in circuit programming may be tricky).
Well, we can assume that these pads are used in the factory to program the device, so it should be possible to use them.
Indeed you need to find what the exact procedure is.
This is not a stupid feature. In a holiday resort youngsters thought to solve their internet connection by pushing the reset button. (like initiating a reboot). They whiped the config instead.
As all the hAP ac2 are powered with PoE the network connection is on port 1, which is the WAN port by default.
I had to break in, via another hAP ac2, to restore the config with the WPA2/enterprise access to internet.
Since then all hAP ac2 in the resort are now configured with a lengthy “Protected RouterBoard” setting. That made them temper proof.
I think that to prevent resetting device to factory default config, the “Configure script” option of netinstall is the way to go … it replaces MT’s default config and when device is ordered to reset to default configuration, this is the default configuration.
I’m not sure if default configuration script can set administrator’s password though. Anybody tried that?
I think that to prevent resetting device to factory default config, the “Configure script” option of netinstall is the way to go … it replaces MT’s default config and when device is ordered to reset to default configuration
Ok, but what if you have 50+ or 100+ more APs to configure, would you have to follow the netinstall procedure for each one of them ? Is there a quicker way to do this ?
AFAIK netinstall is the only way of replacing default config. Call it security feature 
Having another default config would be great indeed.
The actual configs are still evolving (30 AP, 200+ devices) for tuning: better roaming, speed, avoiding broadcast, avoiding sticky clients, interference, neighborgs wifi changes, …) but having a config that makes the ether1 open for management (not a WAN port or adapted Firewall) would make restoring to the latest tuned config just very simple.
Reset with script execution ?