Hello world,
in this tutorial I’m gonna show a quite advanced script to update the root password of openELEC or LibreELEC.
Try it out, but there is no guarantee that this is bug free!
Tested with openELEC v4.0.6, v4.2.1, v5.0.8 and openELEC v6.0.0
Tested with LibreELEC v7.90.002
Why should I change the root password at all?
I’m a security fetishist.
I need to use secure password I can’t even remember, because they are generated (I use LastPassKeePass).
Now that I may want to reach my Pi from outside of my LAN, I needed to replace the password when I’m gonna connect from the WAN area…
There is a way to authenticate via public-private keys, but somehow this didn’t worked for me (and I’m 100% sure I’m doing it right, because Dustplanet is using SSH Keys for connecting, too ;))
However the wiki does state it is not possible to change the password. But that is wrong!
I could have compiled openELEC/LibreELEC from the source but that’s not what I wanted.
Some research was needed
I made some research and found out that openELEC/LibreELEC is a squash filesystem that is mounted read only.
Under the hood there is a /etc/shadow hash file where the root password is stored.
I managed to mount the filesystem writeable (unsquash it), changed the password and made a squash filesystem again.
But I had to do this the manual way.
The solution
The idea was simple, I needed to write a script that perfomrs the process automatically.
Not as easy as I thought, but I managed it. π
After hours of testing and coding (and even deleting my “live” openELEC) I successfully changed the root password!
How does it work
Basically it just mounts the openeELEC image (flash) from your SD card again (looped) and enables read and write access.
A new password hash is generated with mkpasswd and the macOS version uses passlib.
The old password gets replaced and the updated files are used for a new squashfs which is copied back.
Well you can do it on macOS, too!
I wrote an extra article about it, here https://dustpla.net/2d6RT
Why you can’t do this on newer Macs
I tried to do all the setup with my virtual machine on my MacBook Pro Late 2013.
However, I found that I was unable to connect my SD card to my VM…
VMWare has an article about this issue.
That means it’s an unfixable issue and you will need a real linux operation system (or an OS booted from CD/DVD or USB)
However, with an external SD card reader like Transcend TS-RDF5K it’s not a problem anymore!
Required packages
You will need to install two additional packages on your Linux
sudo apt-get install whois
to generate a new password hash for the /etc/shadow file.
and
sudo apt-get install squashfs-tools
to pack and unpack the suqash filesystem.
Run the script
I just want to be on the safe side:
THIS SCRIPT COMES WITH 0% (ZERO) WARRANTY! BACKUP YOUR STUFF! I’M NOT RESPONSIBLE FOR ANY DATA LOSS AND THINGS MIGHT NOT WORK AS EXPECTED!
YOU HAVE BEEN WARNED
You will need to issue this script as sudo.
One thing you need to do manually:
Find out on which device and partition openELEC/LibreELEC is stored.
Take a look at
sudo fdisk -l
for example (small L, will list all devices)
Script usage
sudo ./openELEC [password] [device] (hash) (user)
the [] brackets are required, but if not supplied the script is asking for input
the () brackets are optional. (You could use a different hash like sha256 or another user)
There is an option to create a backup of the current openELEC/LibreELEC image, so you can recover any data when something goes wrong.
There is also support for BerryBoot stored images!
AND NOW FOR THE DOWNLOAD:
https://gist.github.com/timbru31/cc2a323b88a652e6c850
If you want you can grab it directly with wget and make it executable
wget https://gist.githubusercontent.com/timbru31/cc2a323b88a652e6c850/raw/2414c30cef5b64a92e16267d0435aadabec7daa2/openELEC.sh && chmod +x openELEC.sh
Alternatively use curl
curl -O https://gist.githubusercontent.com/timbru31/cc2a323b88a652e6c850/raw/2414c30cef5b64a92e16267d0435aadabec7daa2/openELEC.sh && chmod +x openELEC.sh
Sources // Thanks to
A very big thanks toΒ Keith Wright with his blog post, which showed it’s possible to change the root password:
https://wrightrocket.blogspot.de/2012/06/openelec-on-raspberry-pi.html
https://www.linuxquestions.org/questions/programming-9/change-desired-field-in-passwd-or-shadow-648043/#post3179372
http://www.cyberciti.biz/tips/shell-root-user-check-script.html
https://stackoverflow.com/questions/7522712/how-to-check-if-command-exists-in-a-shell-script
http://www.cyberciti.biz/faq/understanding-etcshadow-file/
http://www.unix.com/302486124-post2.html
https://serverfault.com/questions/7503/how-to-determine-if-a-bash-variable-is-empty
http://www.unix.com/302814743-post2.html
Openelec does not support apt-get out of the box
Of course not, you should run this on your Linux or Mac OS X system, not openELEC itself. You may need to replace apt-get with yum, I tested it on an Ubuntu system.
I’ve tested this wit openELEC 6.0 Beta 1, this wil break the settings, after this procedure you’ll have to configurate openELEC if it was just installed to the memory card, you also have to install all addons at new. Before you do this MAKE A BACKUP.
Hi,
thanks for your feedback, I will test the script soon with openELEC 6.0
Normally you should have a backup (unless disabled) which you could restore.
Cheers,
Tim
wtf
Btw, it seems to be possible to change the squashfs from openelec itself using a separate USB stick: https://sites.google.com/site/andreierdei/openelec-addons/squashfs-howto
You also have to use the author’s mksquashfs addon for openelec. I didn’t test it myself but it seems handy. π
So, my machine doesn’t want to acknowledge my SD card reader, so I can’t actually find anything with sudo fdisk -l. What should I do in that situation?
Nevermind, after reinserting the device like 6 times Debian finally decided to mount it. Reporting that the script is tested and working on LibreELEC 8.0.1. π
Great post but I was wondering if you could write a litte more on this topic?
I’d be very thankful if you could elaborate a little
bit further. Thanks!
Great information..But I don’t have a pi..Just TV BOX.. π
could not mount /dev/SYSTEM….
can’t access tty….
…of course..ERROR .. π
Thank you very mutch. I had to follow carefully both articles, but this script perfectly worked on macOS 10.11 with a SHA512 password!
I just have a suggestion. Reading the instructions, I didn’t understood what “device” I had to specify. So I tried /dev/disk3 but the script failed “Unmount failed for /dev//dev/disk3”. Obviously, I removed “/dev/” and had and an other error mounting “disk3” with “mount_msdos”. Then I realized that “mount_msdos” need the FAT32 partition so I wrote “disk3s1”.
Maybe you could add a precision. On mac you need to do :
$ diskutil list
Then copy the IDENTIFIER (diskXsY) next to the “Windows_FAT_32” partition named “LIBREELEC”. And finally :
$ ./openELEC.sh mynewpassword diskXsY sha512 root
Thanks for your hint! I’m planning to revise this article nevertheless, definitely going to include your suggestion π