Differences

This shows you the differences between two versions of the page.

--- ccgx:root_access [2023-03-02 09:09] – [Disable touch on the attached screen] dfaber
+++ ccgx:root_access [2024-12-03 11:17] (current) – [3.1 Set access level to Superuser] mvader
@@ Line 1: / Line 1: @@
 ====== Venus OS: Root Access ======
-===== Introduction =====
+===== 1. Introduction =====
 This document explains how to access a GX device via SSH, or straight on the Serial Console, with the root user. It also covers customizing and hardening a GX device against nonauthorised access.
@@ Line 9: / Line 9: @@
 Do note that, while we try to maintain to provide all mentioned functionality in this document, the used commands and functionality may change with future updates.
-===== Warning about modifying the rootfs =====
+===== 2. Warning about modifying the rootfs =====
 __1. Your changes can be lost during a firmware update__
@@ Line 30: / Line 30: @@
   - if you remove the files in /data/venus, then -depending on the production date- you might have to restore those manually which might require serial console access. See below. Why does this depend on the production date? Thats because somewhere in 2021 we started writing all factory data to a different place (an eeprom) to make it more robust.
-======= Root access ======
+===== 3. Root access =====
+==== 3.1 Set access level to Superuser ====
+To set the root password, first set the access level to Superuser.
-==== Set access level to Superuser ====
-To set the root password, first set the access level to Superuser:
   - Go to Settings, General
   - Set the Access Level to User and installer, the password is ''ZZZ''
   - Highlight Access Level (don't open the select page, ie. make sure you are in the General Page, not the Access Level page)
-  - Press and hold the right button of the center pad until you see the Access Level change to Superuser. Note: when working from the Remote Console, you need to use the right key on your keyboard. Pressing and holding the right button with your mouse won't work.
+  - Press and hold the right button of the center pad until you see the Access Level change to Superuser. Note: when working from the Remote Console using the Classic UI, you need to use the right key on your keyboard. Pressing and holding the right button with your mouse won't work. When using the New UI, select, drag down and hold down the entire list of General menu entries for five seconds, and until you see the Access level change to super user.
 Now you have access to the super user features.
@@ Line 43: / Line 44: @@
 Note that on a touchscreen, such as a Cerbo GX + GX Touch, there is no "right button". Instead, drag the menu down and hold it down for five seconds. Or, use Remote Console.
-==== Create a temporary root password ====
+==== 3.2 Create a temporary root password ====
 Go to //Settings -> General -> Set root password//. And create a temporary root password.
@@ Line 49: / Line 50: @@
 Note that, for firmware version v2.00 and later, the root password will be reset by a firmware update. The reason is that the passwd file is on the rootfs, which is fully replaced by an update. More info [[https://github.com/victronenergy/venus/wiki/swupdate-project|here]].
-Our advice is to create a complex root password. But use it to login only the first time, and then install a public ssh key(s). Thereafter login with the keys. If key authentication works, you can also
+Our advice is to create a complex root password. But use it to login only the first time, and then install a public ssh key(s). Thereafter login with the keys. If key authentication works, you can
-safely delete the root password afterwards (''passwd --delete root'').
+safely disallow root logins with a password with '' echo 'root:*' | chpasswd -e ''.
-==== Enable sshd and log in =====
+The password needs to be 6 characters long, minimum.
+==== 3.3 Enable sshd and log in =====
-To login via ssh, enable SSH on LAN (//Settings -> General//). On Venus versions before v2.40, you need to enable Remote Support, which also enables sshd. More info on Remote Support [[ccgx:ccgx_faq#what_is_the_functionality_behind_the_menu_item_remote_support_ssh_in_the_ethernet_menu|here]].
+To login via ssh, enable SSH on LAN (//Settings -> General//). On Venus versions before v2.40, you need to enable Remote Support, which also enables sshd. More info on Remote Support [[https://www.victronenergy.com/media/pg/Cerbo_GX/en/troubleshooting.html#UUID-f13193f4-c359-4a49-005e-05da0fdd6a70|here]].
 To the login, enter the ip address of the GX device in a ssh client. Most Linux and Mac users will simply do this from the command line:
@@ Line 62: / Line 64: @@
 And a very commonly used client for Windows is [[http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html|Putty]]. For more info, look around on the Internet, there is [[https://www.google.nl/webhp?sourceid=chrome-instant&ion=1&espv=2&ie=UTF-8#q=putty+ssh+login&tbm=vid|plenty information]] available.
-==== Installing ssh keys ====
+==== 3.4 Installing ssh keys ====
 Using a ssh key for authentication, instead of a root password, has the advantage that it isn't lost during a firmware update. The keys are stored on the /data partition.
@@ Line 75: / Line 77: @@
 The third file contains the keys we use for Remote Support login.
-==== Play time! Start executing commands ====
+==== 3.5 Play time! Start executing commands ====
 https://www.victronenergy.com/live/open_source:ccgx:commandline
-======= Customizing a GX device =======
+===== 4. Customizing a GX device =====
-==== Hooks to install/run own code at boot ====
+==== 4.1 Hooks to install/run own code at boot ====
 Everything, except for information on ''/data'', will be wiped after an update.
@@ Line 89: / Line 91: @@
 If the files ''/data/rcS.local'' or ''/data/rc.local'' exists, they will be called early (rcS) and late (rc) during startup. These scripts will survive upgrades and can be used by customers to start their own custom software. Implementation details in [[https://github.com/victronenergy/meta-victronenergy/commit/2dbd16c560ff7cdf70b1d676c0616013169c7484|this commit]].
-Also if ''venus-data.{tar.gz,tgz,zip}'' is found on removable storage (usb stick, sd-card) when booting, it will be unpacked into /data. Implementation details in [[https://github.com/victronenergy/meta-victronenergy/commit/469760fef4ed2ee977f482c997ac24c2678222c5|this commit]]. Added per Venus v2.30~28. Use this to for example make a USB stick that installs the modifications.
+Also if ''venus-data.*.{tar.gz,tgz,zip}'' is found on removable storage (usb stick, sd-card) when booting, it will be unpacked into /data. Implementation details in [[https://github.com/victronenergy/meta-victronenergy/commit/469760fef4ed2ee977f482c997ac24c2678222c5|this commit]]. Added per Venus v2.30~28. Use this to for example make a USB stick that installs the modifications. You can combine multiple files on the device; they will be run in alphabetical order.
 That venus-data file has one extra feature: if the archive contains ''rc/*'' files, it will extract those first. And if there is a file called ''rc/pre-hook.sh'' it will run this before unpacking the rest of the archive. Similarly, if there is a file called ''rc/post-hook.sh'', then that file will run this after the unpacking of the archive. For details, read the code in the ''/etc/rc5.d/S30update-data.sh'' file.
+You can draw further inspiration from [[https://github.com/victronenergy/meta-victronenergy/tree/master/meta-venus/scripts|here]], where the code resides to generate files for making backups of the ''/data'' partition, resetting Node-RED and SignalK and more scripts.
 You can test the 'update' with
@@ Line 100: / Line 104: @@
 https://github.com/victronenergy/venus/wiki/swupdate-project
-==== Creating a patch file ====
+==== 4.2 Partitions, read-only rootfs and available disk space ====
-As mentioned before, the recommended way of customising Venus OS is by applying patch files. This section describes how to make and apply a patch.
-You start by making a copy of the original file and modifying it to accommodate your changes. In order to create a patch file containing the changes you’ve made, run the following command:
-    diff -u OriginalFile UpdatedFile > PatchFile
-In order to patch the original file with your changes, you can use the below command:
-    patch OriginalFile < PatchFile
-For more advanced features please check the manual page of [[https://man7.org/linux/man-pages/man1/diff.1.html|diff]] and [[https://man7.org/linux/man-pages/man1/patch.1.html|patch]].
-==== Partitions, read-only rootfs and available disk space ====
 On a GX Device, there are three partitions that matter:
@@ Line 122: / Line 112: @@
   * the data partition
-=== One active rootfs at a time ===
+=== 4.2.1 One active rootfs at a time ===
 Only one of the two rootfs partitions will be in use at time. During a firmware update, the new firmware is installed on the other one; and once finished the subsequent reboot will reboot the device onto that other partition.
@@ Line 128: / Line 118: @@
 The data partition is not touched during a firmware update, except maybe some migration scripts that run at boot.
-=== Always prevent running out of diskspace ===
+=== 4.2.2 Read-only rootfs ===
+By default, the rootfs is mounted read only. Also, by default, it only has 5% of free space, while the partition in which its installed is actually larger.
+The recommended method to **(a)** mount it as read/write, and **(b)** expand it to use all of the available space in its partition, is by running ''/opt/victronenergy/swupdate-scripts/resize2fs.sh''.
+Here is a short overview of the three ways mount the rootfs as read/write:
+  * //temporally//: issue the command ''mount -o remount,rw /'' (which holds until the next reboot or issueing ''mount -o remount,ro /'')
+  * //semi-permanent//: issue the command ''/opt/victronenergy/swupdate-scripts/remount-rw.sh'' (which holds until the next firmware update)
+  * //permanent//: adding one of the above commands to ''/data/rc.local'' (which holds permanently)
+=== 4.2.3 Always prevent running out of diskspace ===
 When doing modifications, make sure both the data partition and the rootfs do not run out of space. We don't design or test for that situation.
@@ Line 134: / Line 136: @@
 With regards to the size of the data partition, thats easy to check using the ''df'' utility. But not so for the rootfs:
-After logging into a GX device, and checking the free disk space on the rootfs(! thats not the data partition), you might get a bit disappointed at first. Don't worry about that, there will always be only 5% of free space, but thats not the actual free space:
+After logging into a GX device, and checking the free disk space on the rootfs (! that is not the data partition), you might get a bit disappointed at first. Don't worry about that, there will always be only 5% of free space, but thats not the actual free space:
-The reason for this is that a firmware update replaces the full filesystem on the rootfs, as an image. And its then not expanded to the full available space of the partition reserved for the rootfs.
+The reason for this is that a firmware update replaces the full filesystem on the rootfs, as an image. And its then **not** by default expanded to the full available space of the partition.
 To expand it, run ''/opt/victronenergy/swupdate-scripts/resize2fs.sh''. It will expand the filesystem to use all of the available space.
@@ Line 148: / Line 150: @@
 Note that a firmware update will replace all of the rootfs, as also explained above. Which implies that you'll need to run ''resize2fs.sh'' again after doing a firmware update.
-===== Adding or modifying services =====
+==== 4.3 Creating a patch file ====
+As mentioned before, the recommended way of customising Venus OS is by applying patch files. This section describes how to make and apply a patch.
+You start by making a copy of the original file and modifying it to accommodate your changes. In order to create a patch file containing the changes you’ve made, run the following command:
+    diff -u OriginalFile UpdatedFile > PatchFile
+In order to patch the original file with your changes, you can use the below command:
+    patch OriginalFile < PatchFile
+For more advanced features please check the manual page of [[https://man7.org/linux/man-pages/man1/diff.1.html|diff]] and [[https://man7.org/linux/man-pages/man1/patch.1.html|patch]].
+In this thread, there is an example of how to make a patch file to change a certain setting in the GX, and how to apply that at boot. To make it survive a firmware update:
+https://community.victronenergy.com/idea/201826/lets-define-a-local-ntp-server.html
+==== 4.4 Adding or modifying services ====
 Changes made to ''/service'' will not survive a reboot. The
@@ Line 157: / Line 176: @@
 ''/service''.
-By default the root filesystem of Venus is read-only. There are three ways to change that:
+Further details here: https://github.com/victronenergy/venus/wiki/howto-add-a-driver-to-Venus#installing-a-driver-that-doesnt-depend-on-a-serial-port
-  * //temporally//: issue the command ''mount -o remount,rw /'' (which holds until the next reboot or issueing ''mount -o remount,ro /'')
+===== 5. Hardening a GX device =====
-  * //semi-permanent//: issue the command ''/opt/victronenergy/swupdate-scripts/remount-rw.sh'' (which holds until the next firmware update)
-  * //permanent//: adding one of the above commands to ''/data/rc.local'' (which holds permanently)
-======= Hardening a GX device =======
-===== Limit physical access to the device =====
+==== 5.1 Limit physical access to the device ====
 The first thing to keep in mind is that we as Victron Energy always want an
@@ Line 183: / Line 198: @@
 access to the device.
-===== Disable touch on the attached screen =====
+==== 5.2 Disable touch on the attached screen ====
 Per Venus OS version v3.00, we are introducing a feature that allows disabling the touch feature on the GX Touch display.
@@ Line 190: / Line 205: @@
 Details per GX device:
+  * Ekrano GX: a digital input can be configured to be used for this. Wire it to a momentary-push button, that shorts the input (grounds it).
   * Cerbo GX + GX touch: a digital input can be configured to be used for this. Wire it to a momentary-push button, that shorts the input (grounds it).
   * Venus GX: has no screen, not relevant.
@@ Line 198: / Line 213: @@
 Note that this setting only disables touch/mouse control. On the remote console you are still able to control the device with keyboard input. That is also true if you plugin an external USB keyboard. With the keyboard it is also possible to toggle the ''/Settings/Gui/TouchEnabled'' setting by pressing the [[https://en.wikipedia.org/wiki/Break_key|Pause/Break key]] key. So if you need this feature to be switched on, make sure that the USB ports are not accessible.
-===== Limiting digital access  =====
+==== 5.3 Limiting digital access  ====
 When securing the device, it is also advised to disable the Wi-Fi access point,
@@ Line 246: / Line 262: @@
 that.
-===== Installing a tamper alarm =====
+==== 5.4 Installing a tamper alarm ====
 By using the digital input(s) of the GX device, you can set the digital
@@ Line 261: / Line 277: @@
   * If a logical low input (0V) should be considered a positive condition, set //Inverted alarm logic// to on.
-===== Hardening multiple devices =====
+==== 5.5 Hardening multiple devices ====
 If you have a lot of Venus devices to modify, probably the easiest way is to
@@ Line 271: / Line 287: @@
 Later replace that by something more strong and store it in your vault. Use the USB stick to put your public ssh keys on the GX device so you can gain remote access.
-======  Connecting on the serial console ======
+===== 6. Connecting on the serial console =====
 The serial console offers a straight connection from your computer. Not relying on TCP or anything else.
@@ Line 281: / Line 297: @@
 The serial consoles on all GX devices are configured to 115200 baud.
-===== Serial console on GX device =====
+==== 6.1 Color Control GX ====
 All GX Devices have a dedicated serial console, except for the CCGX. Therefor its documented on a separate page:
@@ Line 287: / Line 303: @@
 [[https://github.com/victronenergy/venus/wiki/ccgx-serial-console|CCGX Serial Console]].
-===== Serial Console on Cerbo GX =====
+==== 6.2 Cerbo GX ====
 The serial console is located on the CPU board, header JP201. GND is pin 1, RX and TX are pins 4 and 5. Here is a picture showing a [[https://www.adafruit.com/product/954|ADA Fruit Serial Console cable]] connected to it.
@@ Line 295: / Line 311: @@
 {{ :ccgx:cerbo_serial_console.jpg?nolink&600 |}}
-===== Serial Console on Venus GX =====
+==== 6.3 Venus GX ====
 The serial console is located on the base-board, and can be accessed through the slot between that board and the Ethernet connector on the beaglebone-board.
@@ Line 309: / Line 325: @@
 {{ :ccgx:venus_gx_serial_console.png?nolink&600 |}}
-===== Serial console on GX Card / Nanopi =====
+==== 6.4 GX Card / Nanopi ====
 The GX Card is the PCBA inside the MultiPlus-II GX and EasySolar-II GX product ranges. This photo shows the card, when unmounted from these inverter/chargers.
@@ Line 320: / Line 336: @@
-===== Serial console on Octo GX =====
+==== 6.5 Octo GX ====
 The serial console is located on the base-board, and can be accessed with the top-board unmounted. With the serial console cable connected the top-board can be put back on again.
@@ Line 334: / Line 350: @@
 {{ :ccgx:octo-gx_serial-console.jpg?300 |}}
+==== 6.6 Ekrano GX ====
+Getting to console on the Ekrano GX is not that easy. The pins are located between the network and USB connector on the back of the device.
+  - Black: ground
+  - NC
+  - NC
+  - Green: RX of the Ekrano GX - connect to TX on your cable
+  - White: TX of the Ekrano GX - connect to RX on your cable
+  - NC
+{{ :ccgx:ekrano-console.jpg?300 |}}