Logging In, TKIP -> AES

[c00ni]

Hi, I've got MW6's. They only do WPA2 TKIP instead of AES and I've read somewhere along the way they simply disabled AES.

First, can I telnet into it without doing anything special hardware wise? I get the password is just base64 encode of the default password. You say you hold reset for 3 seconds, but you were connected via UART first? Can it be done without opening it up and mucking around?

Next, did you see anything about TKIP vs AES looking around? Happy to look around myself once in.

[crees]

No need to do anything special. Just do the reset button thing and the telnet port opens.

[c00ni]

Thanks, I got in.
It's the base64 of the current wifi password, not the default (which of course may have been current).

Interestingly I've found the primary node only accepts WPA2 AES but the secondary node does WPA and WPA2, TKIP/AES.

MacOS's airport command showing the following:

Primary
SSID BSSID2G -56  6,-1    Y  -- WPA2(PSK/AES/AES)
SSID BSSID5G -56  40      Y  US WPA2(PSK/AES/AES)
 
Secondary
SSID BSSID2G -49  6,-1    Y  -- WPA(PSK/TKIP,AES/TKIP) WPA2(PSK,FT-PSK/TKIP,AES/TKIP)
SSID BSSID5G -37  40      Y  US WPA(PSK/TKIP,AES/TKIP) WPA2(PSK,FT-PSK/TKIP,AES/TKIP)

[crees]

That is really interesting! You could have a go at telnetting into the secondary node, and using cfm to see if there are any settings on that. I find it unlikely that the meshing would rely on WPA1/TKIP as the primary does not use it.

I'd still be very cautious about what you change...

[c00ni]

Yeah very interesting indeed.
I’m using Ethernet for backhaul as well.

I dumped all the settings on both nodes and ran a diff between them, only a handful of values came out. I changed the two pertaining to wl2g and wl5g so the secondary matches the primary but no dice.

Doing my head in.

(I noticed there was an issue because iOS 14 now gives a ‘weak security’ banner of shame when connecting to TKIP networks, but the warning disappears when it roams over to the primary node)

[crees]

When I get a chance, I'll have a play with my MW5s- I can't really fiddle too much with them right now as I really can't risk breaking them with so little free time, but it's definitely an annoyance (and a concern too I guess.)

[gingerbeardman]

Watching because I'm also in the same position with the same annoyance/concern.

Aside: I have emailed Tenda about TKIP iOS 14 warning - unrelated to this issue - via the email address from a previous support query when they were very helpful. I doubt they'll address TKIP/AES in a firmware update, but you never know! I didn't share any links in my email, just a screenshot of iOS.

[duoi]

@c00ni any luck with this? What do you find at /etc/config/wireless?

[c00ni]

Just came across this now and haven't gone home yet to test: https://www.ozbargain.com.au/comment/9715402/redir

To quote,

For those who are seeing TKIP, if you go through the settings on the Tenda app, select Fast Roaming and enable it. See if you still have TKIP enabled.
After doing this, it seems like it's AES-only now?

Edit: just tested, TKIP no longer accepted, only AES.

[gingerbeardman]

I already had Fast Roaming enabled, and was seeing TKIP for all but the main router.

So I just toggled it off and on again and that seems to have made it only AES. Great news!

Will report back if anything changes.

[gingerbeardman]

New firmware since 2020-12-26 claims to solve this.

Though my devices won't update! More here: https://www.reddit.com/r/HomeNetworking/comments/kskl23/unable_to_update_firmware_tenda_mw6_mesh_system/

[c00ni]

New firmware since 2020-12-26 claims to solve this.

Though my devices won't update!

Mine updated successfully to V1.0.0.29(5834)
Thanks for the heads up. Can't help you with the update though

[gingerbeardman]

Tenda are fixing the update issue, more details at reddit link.

[gingerbeardman]

Mine updated shortly after my last post.