Downgrade Solution

[HpNoTiQ56]

Just got a new WB pulsar plus with 6.2.13 version when I restore it. Is there any ways or hack to flash v5 on a new version?

I can't root it (stuck on receiving pwnware).

Thanks,

[mfgnerd]

Were you able to figure out an option here? Im shopping for a wallbox with the plan of immediately rooting it

[HpNoTiQ56]

No way around...

[toxuin]

I, too, got a Pulsar Plus shipped with 6.1.12 (and it restores to that version after restore :/ )

There is a Raspberry PI Compute Module 3 inside the unit. Is there a hardware way of adding the key to /home/root/.ssh/authorized_keys ? I do have a CM3-compatible motherboard on hand.

[mfgnerd]

I actually lucked out and received a unit from my local distributor with an older firmware.

But I saw brief comments on a forum of a user removing the cm3, and transferring their own ssh key in place. I’m not sure on the exact process, but if you can mount the cm3 as an external drive on another system you should be good to go.

[toxuin]

I successfully rooted a 6.1.12-shipped wallbox using an external CM3 carrier board (BalenaFin).

Here's how to do that:
Switch your board into usbboot mode (a jumper or a separate mini-usb port, usually - seek your board's datasheet) and connect it to a linux machine.

Then you'll need to install raspberry pi's usbboot loader for board to get recognized as a block device.

git clone --depth=1 https://github.com/raspberrypi/usbboot
cd usbboot
make
./rpiboot

You'll have a new block device available then - in my case it was /dev/sdf.
It's always a good idea to dump the flash just in case you brick your CM3 or flash wears out - or something else. Mine came with 4gb internal flash which is quite a small price to pay for peace of mind.
dd if=/dev/sdf of=~/wallbox_plus_backup.img

Compute module's flash is partitioned into 3 partitions:

• rpi config area - 60M - where device config.txt and overlays live. Not much interesting there.
• main "working" partition - 2.6G - that's what CM3 is booting from when you power on the charger
• "restore" partition - 1G - contains just the minimal OS plus a .tar.gz that gets copied over to main partition when you restore your charger.

You'll need to mount the 2.6G partition to any folder.

mkdir ~/mountpoint
sudo mount /dev/sdf2 ~/mountpoint
cd ~/mountpoint

Now, add your key to root/.ssh/authorized_keys:

echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDHVPVOodEfXLy1VhyC6LydiVNNIdZqNxvi6RH7SJXk771y0qEgbIarcMJIrwWWwI/2dq9aC8Z6lQP9BS2FVaAkdFrMVvE5Y+tT2EhIcCJUg1J8fO57StERnkk2RHJj7b/BqQ9SibRaRs48D7Q0upetsjSu6q6+COAtF6kSL5KiLgQ2z1Dnn86GkJ+HIRzd5SklMl7HgHI00J6RQFIjk1xx6wsWPt/xOxBxdTEbq854E77FwtMvqMLo1zClwK5Aj8Gho2jIkk8OcBII6yYkCVpVPoodzKgOEVzCjFFnMA724BSDYTAizsA38Lft9LU0rmQ3yz2Nn38ZmIinFbyp5T1L" > ~/mountpoint/home/root/.ssh/authorized_keys

What's odd is that there's someone else's ssh key in there already: ...2cBtCF9lXQ== aleix@acer - was my device hacked or is that a backdoor the manufacturer left? 🤔

After that, unmount the CM3 and power down your CM3 carrier board (physically)
sudo umount ~/mountpoint

You can now install CM3 back into Wallbox - it's fully rooted now.

One note that I have is that in order to ssh into it, I needed to pass some ssh options - otherwise it would look like rooting didn't work. Here's my ssh connect command:
ssh -oHostKeyAlgorithms=+ssh-rsa -oPubkeyAcceptedAlgorithms=+ssh-rsa [email protected]

Note that you do loose root access if you restore the unit to factory defaults, but you can do this whole thing again to re-gain root once more.

It also looks that you can in theory turn your unit into a downgradeable one by swapping the .tar.gz in that 1G partition to a donor one, but I haven't tested that.