qsw-tools icon indicating copy to clipboard operation
qsw-tools copied to clipboard
verified publisher icon marcan

QNAP QSW-M2106R-2S2T

Open davispuh opened this issue 5 months ago • 0 comments

I have QNAP QSW-M2106R-2S2T I couldn't find any information about it's console capabilities so documenting it here for others :)

Using serial console to login with admin and same password* as in QSS Web panel:

OpenWrt login: admin
Password:


BusyBox v1.33.2 (2025-02-18 03:25:30 UTC) built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 21.02-SNAPSHOT, r0-13e20024f
 -----------------------------------------------------
root@OpenWrt:/admin#

* - there are 2 issues: 1. when setting password it can't be longer than 20 chars but login field will accept more so if you copy from password manager you won't be able to login anymore 2. console login doesn't like some special characters and login won't work when using those (even if you can login fine in Web)

We get proper root shell but it's mostly busybox with limited utilities

# cat /etc/os-release
NAME="OpenWrt"
VERSION="21.02-SNAPSHOT"
ID="openwrt"
ID_LIKE="lede openwrt"
PRETTY_NAME="OpenWrt 21.02-SNAPSHOT"
VERSION_ID="21.02-snapshot"
HOME_URL="https://openwrt.org/"
BUG_URL="https://bugs.openwrt.org/"
SUPPORT_URL="https://forum.openwrt.org/"
BUILD_ID="r0-13e20024f"
OPENWRT_BOARD="mvebu/cortexa53"
OPENWRT_ARCH="aarch64_cortex-a53"
OPENWRT_TAINTS="no-all glibc busybox"
OPENWRT_DEVICE_MANUFACTURER="OpenWrt"
OPENWRT_DEVICE_MANUFACTURER_URL="https://openwrt.org/"
OPENWRT_DEVICE_PRODUCT="Generic"
OPENWRT_DEVICE_REVISION="v0"
OPENWRT_RELEASE="OpenWrt 21.02-SNAPSHOT r0-13e20024f"

# cat /proc/cpuinfo
processor       : 0
BogoMIPS        : 50.00
Features        : fp asimd evtstrm aes pmull sha1 sha2 crc32 atomics fphp asimdhp cpuid asimdrdm lrcpc dcpop asimddp
CPU implementer : 0x41
CPU architecture: 8
CPU variant     : 0x2
CPU part        : 0xd05
CPU revision    : 0

processor       : 1
BogoMIPS        : 50.00
Features        : fp asimd evtstrm aes pmull sha1 sha2 crc32 atomics fphp asimdhp cpuid asimdrdm lrcpc dcpop asimddp
CPU implementer : 0x41
CPU architecture: 8
CPU variant     : 0x2
CPU part        : 0xd05
CPU revision    : 0

# ps w
  PID USER       VSZ STAT COMMAND
    1 root      3256 S    /sbin/procd
[...]
  830 ubus      2604 S    /sbin/ubusd
  861 root      2240 S    /sbin/urngd
 1064 logd      3024 S    /sbin/logd -S 64
 1116 root      3300 S    /sbin/rpcd -s /var/run/ubus/ubus.sock -t 30
 1185 root      2664 S    /usr/sbin/dropbear -F -P /var/run/dropbear.1.pid -p 22 -K 300 -T 3
 1317 root      2944 S    /sbin/netifd
 1379 root      2776 S    /usr/sbin/odhcpd
 1461 root      3832 S    /usr/sbin/crond -f -c /etc/crontabs -l 5
 1505 root      3696 S    /bin/sh /usr/bin/evdisp.sh
 1519 root      2548 S    ubus listen
 1520 root      3696 S    /bin/sh /usr/bin/evdisp.sh
 1547 root      443m S    /sbin/hal_daemon -f
 1567 root         0 Z    [sh]
 1735 root      4060 S    /bin/sh /usr/bin/issmon.sh
 1833 root     3355m S    /usr/local/bin/ISS.exe -daemon -config /etc/iss.config -redir_stdout /var/log/iss.log
 4635 root         0 IW   [kworker/0:1-eve]
 6460 root         0 IW   [kworker/u4:2-ev]
 6541 root         0 IW   [kworker/1:1-mm_]
11330 root         0 IW   [kworker/u4:1-fl]
12769 root      711m S    /usr/local/bin/aricent-backend.arm
13817 root      3832 S    -ash
15800 root      3928 S    sleep 10
15814 root      3832 R    ps w
28578 root         0 IW   [kworker/0:0]

SSH is already enabled and running by default but there is firewall rule to drop SSH traffic. Don't know what would be best way to make it accessible. One option is to comment out ssh in /etc/firewall.user but I wonder if there isn't some CLI command for this.

There are also couple of other services running (all blocked in firewall):

  • port 6023 - Aricent CLI
  • port 6080 - Aricent Web GUI (gives error after login using admin creds, also it says "Compatible Browsers: Internet Explorer 8.0, Mozilla Firefox 3.5" 🤦‍♂️ )
  • port 12345 - LUA CLI shell
# telnet 127.0.0.1 6023
Aricent Intelligent Switch Solution

OfficeSwitch login: admin
Password:

iss#

Firmware QSW-M2106-FW.v1.2.1_S20250218_1909949.img is .tar archive, after extracting you get

fwver.json
sysupgrade-ac5_m2106/update_img.sh
sysupgrade-ac5_m2106/CONTROL
sysupgrade-ac5_m2106/root
sysupgrade-ac5_m2106/uboot
sysupgrade-ac5_m2106/kernel
sysupgrade-ac5_m2106/poe_fw.tar.gz

All files appear to be encrypted and no idea how to decrypt them.

davispuh avatar Jul 22 '25 23:07 davispuh