DEPRECATED: Backdoor Setup

This page is deprecated. You should Enable the Optware Package Feed instead, and install Dropbear or OpenSSH.


Permanent Backdoor

Once you have got a shell via the Developer Mode, you are more than likely going to want to add a backdoor so you can turn off Developer Mode. There are two ways to do this. The first is by installing an SSHd (e.g. Dropbear), and the second is telnetd. Telnet is less invasive, but insecure. On the other hand the SSH method is more secure, but could possibly break your device. (Note: It has been tested, and didn't break any of the devices we tried it on.)

Again, do the following AT YOUR OWN RISK. Backup any important data on your Pre first. If your Pre gets messed up you will need to use the Pre webOS Doctor which should be able to restore your Pre to working albeit factory fresh state.

SSH Method (Secure)

by Dax Kelson

Works both from WiFi and EV-DO and requires a password to access your Pre.

1. For robustness WebOS normally operates with a read-only root filesystem. In order to enable this SSH Method temporarily enable read-write mode so that changes can be made.

mount -o remount,rw /

2. Install the Dropbear SSH daemon. It will only use 228Kb of storage space in the /opt directory.

cd /tmp
ipkg install dropbear_0.52-5_arm.ipk
rm dropbear_0.52-5_arm.ipk

3. Kill the Dropbear daemon automatically started by ipkg (arrgh!):

pkill dropbear ; pkill -9 dropbear

4. Create a non-privileged user account to login as:

export MYUSER=preuser  # you can change "preuser" to something else if you want
adduser -h /var/home/$MYUSER $MYUSER # You'll be asked to set your password here

5. Enable the su command. Fortunately /usr/local/bin comes first in the $PATH. So we can do this in a less invasive manner. This step is required because /bin/busybox is not SUID root (a good idea) so the /bin/su command can't work.

cp /bin/busybox /usr/local/bin/su
chmod u+s /usr/local/bin/su

6. WebOS uses the Upstart system for starting (and restarting them if they die) system daemons. Install an Upstart event for the Dropbear SSH daemon.

cd /etc/event.d/

7. [Optionally] Take a look at the script. Notice that it automatically modifies the firewalls rules to enable incoming SSH on port 222.

cat webos-sshenabler

8. Start the Dropbear SSH daemon for testing.

initctl start webos-sshenabler

9. Obtain the IP address of your Pre. Look for the "inet addr:Your.IP.Address".

ifconfig ppp0 # for your EVDO IP
ifconfig eth0 # for your WiFi IP

10. [Optionally] From a remote system SSH to your Pre using your username and port 222. For example, from a Linux desktop you would run


Logout when done with "exit".

11. Put your filesystem back into read-only mode:

mount -o remount,ro /

12. On your Pre, Use the Konami code to disable Devloper Mode, if you like, and then reboot your Pre.

13. After this point you should be able to SSH into your Pre as the user you created. On your Pre, use the web browser and visit to figure what your IP address is.

Telnet Method (INSECURE - This method should only be used when absolutely necessary.):

WARNING: The following instructions open up your Pre to the world. Anyone with advanced knowledge will be able to remotely control your device.
1. Once you telnet in successfully, run the following commands:

mount -o remount,rw /

cat > /etc/event.d/backdoorscreen << EOF
# -*- mode: shell-script; -*-                               
# backdoorscreen                                            

description     "backdoorscreen"

start on stopped configure
stop on runlevel [!2]     

exec screen -d -m /home/

cat > /home/ << EOF
while `true`; do
        sleep 120
        # remove -i eth0 if you want to access from evdo
        iptables -t nat -I PREROUTING -i eth0 -p tcp --dport 54321 -j REDIRECT --to-ports 23
        # remove -i eth0 if you want to access from evdo
        iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 54321 -j REDIRECT --to-ports 23

chmod 755 /home/
mount -o remount,ro /

2. Reboot your Pre

You will still have telnet over WiFi on port 54321 after reboot. You might have to wait a few minutes though.

Credit to dreadchicken for creating the original SSH method and script. Credit to Sargun for telnet.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License