Enabling telnet on Netgear EVA8000 Digital Entertainer

The Netgear EVA8000 Digital Entertainer has a telnet daemon installed, but by default it is disabled. During bootup the startup script for the telnet daemon examines the contents of /etc/utelnetd.conf and starts the telnet daemon if the contents is set to “ENABLE 1”

Once telnet is enabled you can log into the system with the username “EVA8000” and the password “Netgear”.

There are two ways to do this depending on which firmware version you are running.

If you’re still using the 1.2.x series of firmware you can use the built-in menu options that allows saving and restoring settings to modify this file.

The steps to accomplish this is documented by flusk on http://mpcclub.com/modules.php?name=Forums&file=viewtopic&t=13503

  1. Create a trial settings backup, using the Supervisor->Advanced Setup->Backup settings option
  2. Confirm that a file was created in the location you’ve set for the EVA to store its library on. The file will be in the backup directory
  3. Create a new file, called utelnetd.conf, in a directory called etc in a temporary location
  4. Change the contents of this file to contain a single line “ENABLE 1” (without the quotes)
  5. Create a tar archive of this file including the etc directory
  6. Copy the tar file to the EVA Backup directory
  7. On the EVA8000, restore the settings from this file.
  8. Once the EVA has restarted telnet will be enabled and you can log in with username “EVA8000” password “Netgear”

If, however, you are using one of the later beta firmware versions then the Backup settings option has been removed and you can no longer use this method to enable telnet.

To enable telnet on the newer firmware versions involve editing the firmware image to make the same change as above, changing ENABLE 0 to ENABLE 1 in the utelnetd.conf file.

I posted this same method on the Netgear Beta forums and it has been confirmed to work by others. (http://forum1.netgear.com/showthread.php?t=20991&page=2&p=95783)

  1. Split the FW image into three parts. A 32 byte md5 header, the bootloader+kernel and finally the jffs2 image. If you’re using the same FW as me (V2.1.16IS.IMG):
  2. FW=EVA8000_V2.1.16IS.IMG
    dd if=$FW of=crc bs=1 count=32
    dd if=$FW of=bootkernel bs=1 skip=32 count=$((0x210000))
    dd if=$FW of=jffsroot bs=1 skip=$((0x210020))
  3. Edit the jffs2 image with bvi and change the ‘ENABLE 0’ to ‘ENABLE 1’ inside the inode for dirent utelnetd.conf (Near offset 0x5cfd8 of the jffs2 image).
  4. Re-run jffs2dump -c on the new image. This will complain and say that the block now has an invalid CRC.
  5. Luckily it also prints out what the expected CRC should be.. so, make a note of this and update the crc (77 C7 E9 3E should be changed to 36 F6 F2 27 at offset 0x5CFD0 in the jffs2 image).
  6. Re-run jffs2dump again to make sure its consistent
  7. Combine the extracted bootloader+kernel with the new image and calculate the new md5sum:
  8. cat bootkernel jffsroot_mod > tempimage
    md5sum tempimage
  9. Create a new file with the ASCII portion of the md5sum in it, making sure it is exactly 32 bytes long (no newline)
  10. Stitch everything back together:
  11. cat newcrc bootkernel jffsroot_mod > telnet_enabled.img

Note that some of these steps can be skipped because the CRC of the JFFS2 inode will usually be the same across image versions because the contents doesn’t change. The steps are only provided for completeness. In reality all you would have to do is edit the original image, change ENABLE 0 to ENABLE 1, change the JFFS2 CRC (which will be the same values as above), strip off the first 32 bytes of the new images, re-calculate the md5sum and insert it at the start of the file.

5 thoughts on “Enabling telnet on Netgear EVA8000 Digital Entertainer”

  1. Shouldn’t it be possible to just (loop-)mount the jffs2 image into a temporary filesystem? Then you need not search for the info, and the jffs2 will have the correct checksum by itself afterwards consistently…

  2. One can also copy the CramFS (its magic being 45 3D CD 28) – from that point to EOF & mount it:

    mount -o loop -t cramfs eva8000.fs /mnt/eva

  3. And if one copy from -rom1fs- to CranFS magic then one gets rom1.fs which can be mounted with:

    mount -o loop -t romfs rom1.fs /mnt/rom1

    Inside is just image.bin

Leave a Reply