|
I had to replace a CP3N that was damaged in a house fire. ?The damaged unit had a 1.8X version FW and also had AUTH and SSL off. ?The ¡°new¡± processor won¡¯t let me update past 1.6X without forcing credentials. ?I¡¯m was almost certain that if they were off before in an older FW that you could upgrade and they¡¯d remain off. ?What am I missing? ?I¡¯ve been creeping through various FW releases but can¡¯t seem to find the process. ?Please help¡I really need this to work.
|
I have updated many 3 Series past 1.6 and it has never forced authentication. It only forces it if you do an INIT/RESTORE on that processor. I just did a PRO3 yesterday in our showroom and its at latest firmware with auth still off.?
|
I have never done it with a CP3N, but I know on NVX if you need to revert back to previous security requirement you load the previous firmware to the unit then perform a restore. If you just revert the firmware back the security requirements stay in place, but if you do a restore after it will remove the requirement to whatever that firmware had by default. Might be worth a shot to try.
|
Ok, so the first thing I did to the new unit when received from eBay was to do an init/restore/betacleanup on it. ?It had a fairly newish FW that required AUTH. ?I immediately loaded a 1.5x FW and disabled AUTH and SSL. ?So far so good. ?I then loaded the 1.8x FW to match the old unit and right off the bat it was asking me to create an account and ?AUTH and SSL were set to on. ?I spent the next several hours trying different versions and had no luck. ?Are you saying to load a pre AUTH FW, turn everything off and then do an Init/restore on that old version before updating to current? ?Does anyone have any insight on this process? ?It takes FOREVER to randomly load and test different topologies hoping it will work. ?I appreciate the help.
|
Though I'm sure that someone else will answer your actual question, its these kinds of things (Rigmarole) that have led me to just pro-actively authorize all processors now...
Eventually I'd be forced to and them I have to go back and update all the Crestron App devices with the Auth, and probably deal with secondary devices needing cred to talk to the procs as well...:(:(:(
As I always say:
"Well Mr. Client, we've completed all the useless/semi-useless digital-age rigmarole for your system to be secure (and green?!?! HaHa), unfortunately we no longer have time (or budget) to make the system actually work! sorry...have a nice day..."
|
So just to update, spent another few hours trying to get this working. ?Went all the back to a 1.5 FW then did a restore and init after turning off auth and ssl. ?Every attempt at updating will prompt the creation of a user and pass and forces auth. ?I¡¯ve tried everything and paid a ton of money for this damn thing used¡I¡¯m really in a bind. ?
|
I know this doesn¡¯t help in any way - but I¡¯m curious as to why you have to have auth disabled in your install? Tim Greenbank Control Systems Engineer
toggle quoted message
Show quoted text
On 24 Sep 2022, at 12:48, AVMaster <AVMaster619@...> wrote:
?So just to update, spent another few hours trying to get this working. ?Went all the back to a 1.5 FW then did a restore and init after turning off auth and ssl. ?Every attempt at updating will prompt the creation of a user and pass and forces auth. ?I¡¯ve tried everything and paid a ton of money for this damn thing used¡I¡¯m really in a bind. ?
|
You¡¯re ?right, it doesn¡¯t help in any way¡
The system has 10 instances of Mobile. ?Two of which are used to access the system remotely from out of state.
|
Systems with remote access are typically the ones that require AUTH+SSL most. Less of a concern if the user's mobile device is utilizing a secure VPN to their network, but when the system was set up with port forward/mapping AUTH+SSL and secure ports are absolutely needed to prevent DOS attacks and rogue connections.
If "Mobile" means the legacy "Crestron Mobile (Pro) (G)" app, then FW v1.503 with AUTH ON & SSL ON (with legacy SSLv3 fallback enabled) is needed for secure MobileProG connections (FW rollback requires syntax "PUF FileName.puf -ALL").??
Otherwise, even if Force Auth Mode is enabled (due to CA-SB327 compliance needed w/ newer 3-Ser & x60 FW and newer 4-Ser & x70 device models), you can still disable SSL in most cases. This essentially leaves you with a password protected processor that still accepts only nonsecure device connections. Though that typically isn't necessary (except with some legacy stuff like MobileProG) since SECUREGATEWAYMODE DEFAULT allows both CIP & SCIP (I typically harden this to only accept secure connections, at least from WAN when I'm using SCIP from Crestron Go/App).??
|
Thanks for the response Dave, along with the lecture of how the ¡®right¡¯ way things should be. ?But my question still stands. ?Is it possible for this replacement unit to be the same as the former unit. ?Latest 3-Series FW and AUTH and SSL set to off. ?Is this something achievable or has this ability somehow been deprecated? ? I¡¯m not looking for a programming or security lesson¡I would just simply like the ¡®new¡¯ unit to be identical to the old one. ?I myself have an AV3 with these things and others have made mention that they do as well¡how do I get there? ?No combination of FW rolling forward or back seems to do the trick.
|
FWIW, I have (2) CP3 projects that started on older FW (1.50x, or at least 1.60x), I definitely updated them in one or more steps so that they now are running the previous current release (cp3_1.8001.0176.puf) without AUTH, so I feel that it should work...
I'm wondering if the 'N' model is different?
|
I totally agree and up until this instance believed that was the case. ?But all I can think of is I¡¯m somehow missing a step or the ¡®N¡¯ is in fact different¡or once you do a RESTORE and flip that bit that there just isn¡¯t going back ever? ?I¡¯d just really like a definitive answer.
|
On Sat, Sep 24, 2022 at 09:06 PM, AVMaster wrote:
No combination of FW rolling forward or back seems to do the trick.
I tried just now & didn't encounter any problems rolling back FW to a version that precedes FORCED_AUTH_MODE and disabling AUTH+SSL. Refer to Text Console session here: ?
|
But I am seeing the same as you're reporting.
After updating FW from v1.503 to v1.8001, FORCED_AUTH_MODE is enabled and AUTH+SSL auto-reenabled w/ the creds that were applied prior to v1.503 AUTH+SSL OFF.
?
I'd probably advise performing the FW rollback, then performing full recovery (INITIALIZE, RESTORE, BETACLEANUP or HWx1/SWx5 presses) to nuke any previously asserted creds, then try updating to latest FW.
I'm not sure I can dedicate more time to trying that firsthand and reporting back (unless an official support case came across my desk, etc.).
|
Thanks Dave for looking in to this further. ?I did in fact do that exact process several times. ?FW rolling, INIT, RESTORE, BETACLEANUP then update to current FW and was still greeted with with the account window when it all came back. ?It would seem as if once that bit is flipped there is no way to flip it back. ?How can I contact you ¡®officially¡¯ to get a support ticket generated? ?I¡¯d hate to have to start over from scratch with a call to TB.
|
So just to follow up¡
After repeated attempts with tech support to ¡®roll back¡¯ the FW on this unit it finally threw its hands up in the air and gave up. Crestron issued an RMA and we sent it back. ?They are now telling me that the unit is unrepairable due to it being out of warranty and unavailable parts. ?This smells like total BS. ?Can someone please enlighten me as to how a failed FW update can cause an otherwise perfect processor to become unrepairable? ?Current situation in Crestron land is no new processors and out of warranty ones cannot be fixed? ?Please¡someone throw me a bone here.
|
It is a CP3N and as luck would have it I have that exact memory card on the way from Mouser. ?I unfortunately don¡¯t have any other CP3N processors to get the image from. ?Mouser apparently has 1900+ of these in stock and ready to ship so I can¡¯t imagine how Crestron ¡®wouldn¡¯t¡¯ have access to them. ?The FW/AUTH issues arise from the fact that for years Crestron has touted that the 3 Series hardware was able to be maintained in a way that provided compatibility with existing systems. ?That just simply isn¡¯t true. ?I have quite a few very large AV systems in the wild that will be unrepairable in the event a processor goes down and a similar legacy device cannot be sourced. ?The rhetoric was always just ¡®roll back the FW¡¯ and good to go¡especially given the current situation where new processors haven¡¯t been shipping for over a year. ?Crestron just keeps piling on reasons for clients to look elsewhere. ?All we needed to make this system 100% perfect again¡100% functional was a processor that was in the same state as the one removed. ?I am now stuck with an angry client, an expensive system and a roulette wheel of price gouging eBay sellers. ?Our rep is no help, Crestron apparently can¡¯t or won¡¯t fix it and I can¡¯t afford to just willy-nilly buy more overpriced processors and hope that they have never had AUTH/SSL turned on. ?I mean gimme a break here Crestron.?
|
I don't know if it's already been mentioned, but couldn't you add an old PRO2 or AV2 for only the Mobile Pro symbols, then EISC them over to the 3-series program?
toggle quoted message
Show quoted text
--- On Tuesday, October 18, 2022 at 9:27 PM, AVMaster wrote:
It is a CP3N and as luck would have it I have that exact memory card on the way
from Mouser. I unfortunately don¡¯t have any other CP3N processors to get the
image from. Mouser apparently has 1900+ of these in stock and ready to ship so
I can¡¯t imagine how Crestron ¡®wouldn¡¯t¡¯ have access to them. The FW/AUTH
issues arise from the fact that for years Crestron has touted that the 3 Series
hardware was able to be maintained in a way that provided compatibility with
existing systems. That just simply isn¡¯t true. I have quite a few very large
AV systems in the wild that will be unrepairable in the event a processor goes
down and a similar legacy device cannot be sourced. The rhetoric was always
just ¡®roll back the FW¡¯ and good to go¡especially given the current situation
where new processors haven¡¯t been shipping for over a year. Crestron just
keeps piling on reasons for clients to look elsewhere. All we needed to make
this system 100% perfect again¡100% functional was a processor that was in the
same state as the one removed. I am now stuck with an angry client, an
expensive system and a roulette wheel of price gouging eBay sellers. Our rep
is no help, Crestron apparently can¡¯t or won¡¯t fix it and I can¡¯t afford to
just willy-nilly buy more overpriced processors and hope that they have never
had AUTH/SSL turned on. I mean gimme a break here Crestron.
|
We have a takeover job where we just started to get the system ready for new programming, and it has a CP3 and a PRO3 running 1.501 fw. So I was curious to see if I would run into the same issues when I bumped them both up to the latest 1.8. Auth was not enabled before and after the updates it still was not enabled (although I did enable it later on). Which seems similar to other sites of ours that we have updated.?
Must be something in that N version that caused this. Sucks that they can't help you out on this though. Its getting pretty rough and they are killing us with these BS stock issues.?
|
John, agreed with your situation as that was how our CP3N was as well. ?It had been nursed along from update to update never having AUTH nor SSL turned on. ?Once an INIT/RESTORE was performed on the replacement unit there was no going back. ?1.8x FW without AUTH/SSL then INIT/RESTORE then forced AUTH. No rolling back or combination of nonsense ¡®fixed¡¯ it. ?Dave H was able to repeat and confirm this on the bench. ?I sent him the support ticket number and RMA in response to his input to this thread but never heard back.
|
AVMaster
Dave H - Crestron True Blue Tech Support Engineer Since 2014