Decrypting Cambium router config passwords

In the cambium cloud you can retrieve a config from a router, modify it and reapply it or make a template from it. All the passwords are “encrypted” so you can’t read what the WiFi password is for example.

Example config line looks like


Looks like it uses some sort of des3 hex encryption.

Fortunately there is a utility on the routers we can use to decrypt the encrypted string.

First we need a router that we can SSH into.

Info on the encryption

The Cambium router uses the 3des_hex utility to decrypt and encrypt strings

It is located /sbin/3des_hex

Decrypting a password

Decrypting is super easy.

3des_hex -d "c760ba8ffe65c669"

Replace the key with the key you want to decrypt.

Encrypting a password

Not really sure if this would ever be needed, but you can use the -e option to encrypt a string

3des_hex -e "c760ba8ffe65c669"

More info.

The script in /sbin has the functions that encrypt and decrypt the config lines.


# when security encrypt enable , decrypt.
        local enc_enable=`dev_manage_stat_get has_config_enc`
        if [ "$enc_enable" != "1" ]; then
                return 0
        [ -x "/sbin/3des_hex" ] || return 0
        [ -f $SecParamListFile ] || return 0
        [ -z "$1" ] && return 1
        awk -F '=' 'ARGIND==1{pname[$0]}ARGIND>1&&($1 in pname){print $0}' $SecParamListFile $1 > $1.tmp
        awk '{if($0~/.+\=\[.*\]/){sub("\=","\|");print $0;}else{print $0}}' $1.tmp > $1.tmp1
        rm -f $1.tmp
        awk -F'|' '{if($2~/\[.*\]/){len=length($2);value=substr($2,2,len-2);while(("3des_hex -d \""value"\""|getline line)>0){printf("%s=%s\n",$1,line);}close("3des_hex -d \""value"\"");}else{print $0}}' $1.tmp1 > $1.tmp2
        rm -f $1.tmp1
        echo "" >> $1
        cat $1.tmp2 >> $1
        rm -f $1.tmp2

Cambium 450 Bandwidth PLL lock lost

Had a radio briefly showing an error in red on the web page saying “Bandwidth PLL lock lost” The radio seems to operate so not sure if it is an actual issue or maybe an ongoing bug.

Cambium Bandwidth PLL lock lost

These entries are from the cambium 16.1.1 Release Notes

  • A very few 450i/450b SMs having “Bandwidth PLL lock lost” and being unable to register to AP on 20 and 30 MHz after upgrade to 16.1.
  • Occasional false positive of 450 radios was showing “Bandwidth PLL lock Lost” but operating normally.

Cambium R195W cnPilot Routers Randomly Dropping

The Problem

We have been experiencing a problem with our Cambium routers where they randomly drop and are unresponsive till a reboot. They’ll also stop handing out addresses on the LAN side.

A reboot “fixes” the problem, until it does it again. You can trigger the behavior by running a port scan against the router. Wondering if the CPU/Memory get overloaded?

nmap -T4 -A -v

While running a scan on the LAN side, the web interface slows down, but doesn’t seem to take it down as fast as a scan on the WAN side. is a script that may be maxing out the cpu, but could be completely unrelated.


Configuring the “Allowed Remote IP(IP1;IP2;)” to limit WAN access effectively blocks port scans and resolves the issue. Setting is under Administration -> Management -> Web Settings. You can add multiple ranges with;;
Configure Allowed Remote IP cnPilot R195W

It looks like the public ip ranges are limited to /24’s so if you you have a block of public IP addresses larger than a /24, you’ll need to break it down into 24’s to work properly.

Template for cnMaestro

You can also create a template in the Cambium Cloud so you can apply the change to multiple routers fairly easily.

Go to Configuration -> Templates and add a new template.

WebRemoteLegalIP template for cnMaestro

And then you can go to your device -> Configuration and apply your new config.

Apply Allowed WAN IPs Template

Do note that if you run a scan from an allowed range, it still seems to cause problems. But at least setting the Allowed Remote IPs will keep others from scanning your network and causing problems on your R195’s.

Cambium Routers Command Line Info

Helpful commands. Maybe?

  1. nvram_set
  2. nvram_get
  3. nvram_get 2860 Password

Looks like most of the configuration scripts are in /sbin

Web from the /etc_ro/web/admin/managment.php

                                                                                                                                                                                     <fieldset>                                                                                                                                                                                                                                           <legend><script type="text/javascript">Capture(management.Web_Access)</script></legend>                                                                                                                                                      <table class="setting_block">                                                                                                                                                                                                                        <tr>                                                                                                                                                                                                                                                 <td class="head" id="remoteWebLogin"><script>Capture(management.Remote_Web_Login)</script></td>                                                                                                                                              <td>                                                                                                                                                                                                                                                 <select name="remote_web_login">                                                                                                                                                                                                             <option value="0" <% getCfgSelected("DBID_LAN_LOGIN_ONLY", "1"); %>><script>Capture(share.disable)</script></option>                                                                                                                         <option value="1" <% getCfgSelected("DBID_LAN_LOGIN_ONLY", "0"); %>><script>Capture(share.enable)</script></option>                                                                                                                          </select>                                                                                                                                                                                                                            </td>                                                                                                                                                                                                                                </tr>                                                                                                                                                                                                                                        <tr id="WirelessHostLogin_tr">                                                                                                                                                                                                                       <td class="head" id="WirelessHostLogin"><script>Capture(management.wireless_access_web)</script></td>                                                                                                                                        <td>                                                                                                                                                                                                                                                 <select name="wireless_access_web">                                                                                                                                                                                                          <option value="0" <% getCfgSelected("wireless_access_web", "0"); %>><script>Capture(share.disable)</script></option>                                                                                    <option value="1" <% getCfgSelected("wireless_access_web", "1"); %>><script>Capture(share.enable)</script></option>                                                                                                                          </select>                                                                                                                                                                                                                            </td>                                                                                                                                                                                                                                </tr>                                                                                                                                                                                                                                        <tr  id="web_login_access">                                                                            <td class="head" id="WebLoginWay"><script>Capture(management.way_access_web)</script></td>                                                                                                                                                   <td>                                                                                                                                                                                                                                                 <select name="way_access_web">                                                                                    <!--                                                                                    <option value="https" selected = "selected" <% getCfgSelected("way_access_web", "https"); %>><script>Capture(management.https)</script></option>                                                                                             -->                                                                                                                                                                                                                                          <option value="http" <% getCfgSelected("way_access_web", "http"); %>><script>Capture(management.http)</script></option>                                                                                                                      <option value="http&https" <% gethttphttpsSelected("way_access_web", "http&https"); %>><script>Capture(management.http_https)</script></option>                                                                                              </select>                                                                                                                                                                                                                            </td>                                                                                                                                                                                                                                </tr>                                                                                                                                                                                                                                        <tr id="localport_tr">                                                                                                                                                                                                                               <td class="head"><script>Capture(management.localWeb_Port)</script></td>      

 nvram_get  nvram_set
   nvram_get  [] []
   rt2860_nvram_show - display rt2860 values in nvram
   rtdev_nvram_show   - display 2nd ralink device values in nvram
   show    - display values in nvram for 
   gen     - generate config file from nvram for 
   renew   - replace nvram values for  with 
   clear   - clear all entries in nvram for 
   2860    - rt2860
   rtdev    - 2nd ralink device
           - file name for renew command
 nvram_get show
 nvram_get show 2860

Trying to read data

nvram_get gen file tmp.txt
         nvram_get 2860 lan_ipaddr
 nvram_get 2860 lan_ipaddr
 nvram_get 2860 http_wanport
 nvram_get 2860 http
 nvram_get 2860 httpd
 nvram_get 2860 remote_mgt_https
 nvram_get 2860 remote_mgt
 nvram_get 2860 telnet
 nvram_get 2860 remote_mgt
 nvram_get 2860 remote_ip
 nvram_get 2860 wan_ip

grep “nvram_get 2860” * | grep -i web

grep "nvram_get 2860" * | grep -i web 2860 DBID_WEB_PORT  local webport=nvram_get 2860 DBID_WEB_PORT  local webhttpsport=nvram_get 2860 DBID_WEB_SSL_PORT  local web_remote_ip=nvram_get 2860 WebRemoteLegalIP  wireless_access_web=nvram_get 2860 wireless_access_web  wanwebport=nvram_get 2860 DBID_WEB_PORT  local webhttpsport=nvram_get 2860 DBID_WEB_SSL_PORT  lanwebport=nvram_get 2860 lan_webport  local webport=nvram_get 2860 DBID_WEB_PORT  local webhttpsport=nvram_get 2860 DBID_WEB_SSL_PORT  local web_remote_ip=nvram_get 2860 WebRemoteLegalIP            local teluserpwd=nvram_get 2860 DBID_SUPER_WEB_PASSWORD 2860 WebInit    pass=nvram_get 2860 DBID_SUPER_WEB_PASSWORD 2860 lan_gateway #for debug, so remote host can access web route from another device in lan port 2860 DBID_WEB_PORT       local pinglegaip=nvram_get 2860 WebAclList     admPW=nvram_get 2860 DBID_SUPER_WEB_PASSWORD     admPW=nvram_get 2860 DBID_SUPER_WEB_PASSWORD     admPW=nvram_get 2860 DBID_NORMAL_WEB_PASSWORD             admPW=nvram_get 2860 DBID_SUPER_WEB_PASSWORD             admPW=nvram_get 2860 DBID_NORMAL_WEB_PASSWORD         url=nvram_get 2860 websURLFilters         host=nvram_get 2860 websHostFilters


Not exactly sure if this does work, but seems like it should.


Default status



After running above command

Commit changes

nvram_get commit



Change password

Seems like I am missing a step. Seems to change the password in the nvram, but does not actually change it permanently

Get current password

nvram_get 2860 Password

Set Password

nvram_set Password newpassword

Commit Changes and reboot

nvram_set commit

Helpful links

Uses some of the commands (i.e. nvram_get 2860 HostName )

no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

Work around is to use the -o option and specify KexAlgorithms with the correcct option.

ssh -o KexAlgorithms=+diffie-hellman-group1-sha1 admin@

cnMaestro template for setting Username and Passwords for PMP gear

The following template can be used to set the user name and passwords for cambium pmp gear. Create a new template in cnMaestro, past in the following, change the passwordEncrypted to the hash of your password and run the config.

You can get the hashed password by pulling it out of a current radio config.

"userParameters": {
  "authenticationConfig": {
    "accounts": [ 
        "userName": "admin", 
        "level": 3, 
        "readOnly": false, 
        "passwordEncrypted": "188a934e0246ae248da19400fed83107a" 
        "userName": "root", 
        "level": 3, 
        "readOnly": false, 
        "passwordEncrypted": "188a934e0246ae248da19400fed83107a"