Hello world,

in this tutorial I’m gonna show a quite advanced script to update the root password of openELEC or LibreELEC.
Try it out, but there is no guarantee that this is bug free!


Tested with openELEC v4.0.6, v4.2.1, v5.0.8 and openELEC v6.0.0
Tested with LibreELEC v7.90.002

 

Why should I change the root password at all?

I’m a security fetishist.
I need to use secure password I can’t even remember, because they are generated (I use LastPassKeePass).
Now that I may want to reach my Pi from outside of my LAN, I needed to replace the password when I’m gonna connect from the WAN area…
There is a way to authenticate via public-private keys, but somehow this didn’t worked for me (and I’m 100% sure I’m doing it right, because Dustplanet is using SSH Keys for connecting, too ;))

However the wiki does state it is not possible to change the password. But that is wrong!
I could have compiled openELEC/LibreELEC from the source but that’s not what I wanted.

 

Some research was needed

I made some research and found out that openELEC/LibreELEC is a squash filesystem that is mounted read only.
Under the hood there is a /etc/shadow hash file where the root password is stored.
I managed to mount the filesystem writeable (unsquash it), changed the password and made a squash filesystem again.
But I had to do this the manual way.

 

The solution

The idea was simple, I needed to write a script that perfomrs the process automatically.
Not as easy as I thought, but I managed it. πŸ™‚
After hours of testing and coding (and even deleting my “live” openELEC) I successfully changed the root password!

 

How does it work

Basically it just mounts the openeELEC image (flash) from your SD card again (looped) and enables read and write access.
A new password hash is generated with mkpasswd and the macOS version uses passlib.
The old password gets replaced and the updated files are used for a new squashfs which is copied back.

 

Well you can do it on macOS, too!

I wrote an extra article about it, here https://dustpla.net/2d6RT

Why you can’t do this on newer Macs

I tried to do all the setup with my virtual machine on my MacBook Pro Late 2013.
However, I found that I was unable to connect my SD card to my VM…
VMWare has an article about this issue.
That means it’s an unfixable issue and you will need a real linux operation system (or an OS booted from CD/DVD or USB)

However, with an external SD card reader like Transcend TS-RDF5K it’s not a problem anymore!

 

Required packages

You will need to install two additional packages on your Linux

sudo apt-get install whois

to generate a new password hash for the /etc/shadow file.

and

sudo apt-get install squashfs-tools

to pack and unpack the suqash filesystem.

 

Run the script

I just want to be on the safe side:
THIS SCRIPT COMES WITH 0% (ZERO) WARRANTY! BACKUP YOUR STUFF! I’M NOT RESPONSIBLE FOR ANY DATA LOSS AND THINGS MIGHT NOT WORK AS EXPECTED!

YOU HAVE BEEN WARNED

You will need to issue this script as sudo.

One thing you need to do manually:
Find out on which device and partition openELEC/LibreELEC is stored.
Take a look at

sudo fdisk -l

for example (small L, will list all devices)

Script usage

sudo ./openELEC [password] [device] (hash) (user)

the [] brackets are required, but if not supplied the script is asking for input
the () brackets are optional. (You could use a different hash like sha256 or another user)

There is an option to create a backup of the current openELEC/LibreELEC image, so you can recover any data when something goes wrong.

There is also support for BerryBoot stored images!

AND NOW FOR THE DOWNLOAD:
https://gist.github.com/timbru31/cc2a323b88a652e6c850
If you want you can grab it directly with wget and make it executable

wget https://gist.githubusercontent.com/timbru31/cc2a323b88a652e6c850/raw/2414c30cef5b64a92e16267d0435aadabec7daa2/openELEC.sh && chmod +x openELEC.sh

Alternatively use curl

curl -O https://gist.githubusercontent.com/timbru31/cc2a323b88a652e6c850/raw/2414c30cef5b64a92e16267d0435aadabec7daa2/openELEC.sh && chmod +x openELEC.sh

 

Sources // Thanks to

A very big thanks toΒ Keith Wright with his blog post, which showed it’s possible to change the root password:
https://wrightrocket.blogspot.de/2012/06/openelec-on-raspberry-pi.html
https://www.linuxquestions.org/questions/programming-9/change-desired-field-in-passwd-or-shadow-648043/#post3179372
http://www.cyberciti.biz/tips/shell-root-user-check-script.html
https://stackoverflow.com/questions/7522712/how-to-check-if-command-exists-in-a-shell-script
http://www.cyberciti.biz/faq/understanding-etcshadow-file/
http://www.unix.com/302486124-post2.html
https://serverfault.com/questions/7503/how-to-determine-if-a-bash-variable-is-empty
http://www.unix.com/302814743-post2.html

HowTo – Update/Change openELEC/LibreELEC root ssh password

12 thoughts on “HowTo – Update/Change openELEC/LibreELEC root ssh password

  • April 18, 2015 at 5:02 pm
    Permalink

    Openelec does not support apt-get out of the box

    Reply
    • April 19, 2015 at 4:18 pm
      Permalink

      Of course not, you should run this on your Linux or Mac OS X system, not openELEC itself. You may need to replace apt-get with yum, I tested it on an Ubuntu system.

      Reply
  • May 11, 2015 at 7:19 pm
    Permalink

    I’ve tested this wit openELEC 6.0 Beta 1, this wil break the settings, after this procedure you’ll have to configurate openELEC if it was just installed to the memory card, you also have to install all addons at new. Before you do this MAKE A BACKUP.

    Reply
    • May 11, 2015 at 9:50 pm
      Permalink

      Hi,
      thanks for your feedback, I will test the script soon with openELEC 6.0
      Normally you should have a backup (unless disabled) which you could restore.
      Cheers,
      Tim

      Reply
  • May 19, 2017 at 4:09 pm
    Permalink

    So, my machine doesn’t want to acknowledge my SD card reader, so I can’t actually find anything with sudo fdisk -l. What should I do in that situation?

    Reply
  • May 19, 2017 at 4:43 pm
    Permalink

    Nevermind, after reinserting the device like 6 times Debian finally decided to mount it. Reporting that the script is tested and working on LibreELEC 8.0.1. πŸ™‚

    Reply
  • May 24, 2017 at 4:44 pm
    Permalink

    Great post but I was wondering if you could write a litte more on this topic?

    I’d be very thankful if you could elaborate a little
    bit further. Thanks!

    Reply
  • May 26, 2017 at 10:59 pm
    Permalink

    Great information..But I don’t have a pi..Just TV BOX.. πŸ™

    could not mount /dev/SYSTEM….

    can’t access tty….

    …of course..ERROR .. πŸ™

    Reply
  • November 5, 2017 at 4:38 pm
    Permalink

    Thank you very mutch. I had to follow carefully both articles, but this script perfectly worked on macOS 10.11 with a SHA512 password!

    I just have a suggestion. Reading the instructions, I didn’t understood what “device” I had to specify. So I tried /dev/disk3 but the script failed “Unmount failed for /dev//dev/disk3”. Obviously, I removed “/dev/” and had and an other error mounting “disk3” with “mount_msdos”. Then I realized that “mount_msdos” need the FAT32 partition so I wrote “disk3s1”.

    Maybe you could add a precision. On mac you need to do :
    $ diskutil list
    Then copy the IDENTIFIER (diskXsY) next to the “Windows_FAT_32” partition named “LIBREELEC”. And finally :
    $ ./openELEC.sh mynewpassword diskXsY sha512 root

    Reply
    • November 6, 2017 at 6:30 pm
      Permalink

      Thanks for your hint! I’m planning to revise this article nevertheless, definitely going to include your suggestion πŸ™‚

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.