Things you can do with a QNAP Switch's Serial Console

I have a QNAP QSW-M408-4C and I was wondering what the serial console port was used for, especially since it wasn’t documented anywhere. Well it turns out it’s a full TTY terminal in LEDE Linux. Thanks to u/sinisterpisces’s post who inspired me to find out more about it.


This guide only works for older versions of the firmware, please see marcan’s qsw-tools, for an updated guide.


Connecting via Serial

Windows (PuTTY)

  • Install PuTTY, this is probably also possible to do with PowerShell, but I don’t know how.
  • In PuTTY, set the ‘Connection Type’ to “Serial”
  • Find the COM port in Device Manager under ‘Ports (COM & LPT)’
  • Back to PuTTY, set the ‘Serial Line’ to the COM port you found
  • Set the ‘Speed’ to 115200

Linux (Screen)

  • Install screen (It’s often already installed)
  • Run ls /dev/tty* to find the Serial Adapter (usually starts with /dev/ttyUSB or /dev/ttyS)
  • Run screen [adapter path] 115200 to connect

Logging in/out

  • Press enter then enter the same username and password used for the web interface
  • When logging out type exit to quit the session


There’s multiple scripts just lying around on the switch that can be used for various things. You can find them all with find / -name *.sh.

Here’s a clean list:

root@LEDE:/admin# ls /usr/bin/*.sh /bin/*.sh /sbin/*.sh /etc/*.sh
/bin/               /usr/bin/
/etc/                 /usr/bin/
/etc/        /usr/bin/
/etc/             /usr/bin/
/etc/        /usr/bin/
/sbin/            /usr/bin/
/sbin/                 /usr/bin/
/sbin/      /usr/bin/
/sbin/       /usr/bin/
/usr/bin/           /usr/bin/
/usr/bin/            /usr/bin/

Here’s a few of the ones I’ve looked at:

  • Gets/sets fan speeds, temp, rtc, leds, memory, reset, i2c, and mode (--help works)
  • “Aricent Intelligent Switch Solution” CLI (also on tcp://localhost:6023, blocked externally by iptables)
  • Runs piped input as a command on the CLI (eg. echo "help" |
  • “LUA CLI shell”, (? for help, some things cause switch to crash)
  • Sets the UI Password using said API using the MAC Address as the old password
  • Sets MAC, Serial and Model (I think)
  • & Self explanatory but doesn’t seem to work

Remote Access

Enabling SSH

The switch seems to have SSH enabled by default but it’s blocked by iptables, here’s how to unblock it:

Enable SSH until reboot

  • Type iptables -L INPUT 2 and you should get DROP tcp -- anywhere anywhere tcp dpt:ssh
  • If you do type iptables -D INPUT 2
  • If you don’t type iptables -L INPUT --line-numbers | grep ssh then iptables -D INPUT [line number]

Enable SSH permanently

  • Edit /etc/firewall.user
    • eg. vi /etc/firewall.user
  • Add a # to the beginning of the line that says iptables -A INPUT -i cpsstap -p tcp --dport 22 -j DROP (likely line 2)
    • press i to insert in vi
  • Save and reboot
    • ESC + :wq to save in vi
    • reboot to reboot in linux

Other Ports

Line Port Comment
1 161 SNMP (Community: NETMAN or PUBLIC)
2 22 SSH
3 6080 Aricent Web GUI (Seems to require IE or an older browser)
4 6023 Aricent Telnet CLI (Can already be used though the console using
6 8080 uhttpd Webserver
8 69 TFTP? Doesn’t seem to be listening
9 12345 ISS408wt.exe is listening
10 12346 ISS408wt.exe is listening
11 31337 ISS408wt.exe is listening
12 31338 ISS408wt.exe is listening

The Aricent interfaces can be accessed using the admin username and password, or the debug username and password present in /usr/bin/ I believe the debug password is the same on every switch, so I wouldn’t recommend allowing them.

Upgrading Firmware

  • Download the firmware from the QNAP site onto the switch: wget <url>
  • Extract the firmware: tar -xvf <file name>.img
  • Run ./

You might think from above would do something, it doesn’t.

Additional Things

Installing Packages

To install packages with opkg:

  • opkg update
  • opkg install <package> I installed htop since it wasn’t installed for me


Supermicro also has some CLI documentation for their Aricent Switches that might be helpful.

There’s also some extra VLAN config in /etc/iss_vlan.txt that might let you tag VLAN 1, otherwise I’m sure the Aricent interface will.

Similar things I’ve found

Thanks for reading!

This site doesn't use any Google services, read more here.
If I helped you please buy me a croissant or sponsor me on GitHub.

© Stephen Horvath 2024