The following guide provides instruction on how to update the reader’s firmware and optionally disable certain system services that have been flagged in a vulnerability scan.
Visit the related resources section at the bottom of this guide to access the underlying reference material provided by the manufacturer.
Updating the Firmware
The first step is ensuring that the firmware on the device has been updated to the latest version. Once the device has been hooked up to the network visit the web interface by typing the IP of the device in your web browser. Under the Software Version you should see the current firmware version in the software version row as shown here:
Note that for hardware versions <= revision 4, the highest version of the firmware that can be installed is 6.4.1. Most likely however you will be using a modern hardware version supporting the latest >= version 7 firmware.
If the Software Version is out of date, you may upload the latest firmware version to the device through the web interface’s Reader Upgrade section. Click the browse button next to select upgrade file and select the firmware update file (should be a .upg). Once you have uploaded the file, click on the update button and wait for the reader to process and perform the upgrade.
Once it has finished updating, you should see that the status next to Last Operation Status should then be set to “Waiting for manual reboot”.
Reboot the reader by clicking on the reboot link shown above and wait for the reader to power cycle. When it comes back up, the Software Version number that’s under the details section should now match the version of the firmware you have installed.
Turning Off Reader Services
Certain services may need to be disabled if the device fails a vulnerability scan after updating to the latest firmware. To turn off services, you will need to access the RShell interface which will allow you to issue commands to the device. You may access the RShell interface either via SSH (remote) or Serial connection.
Note: if the SSH service has been turned off you will not be able to remotely log into the reader and make changes. You will either need to perform a hard reset or access the device via the console. See the below section titled “Accessing RShell via Serial” if the SSH service has been turned off on the device due to security concerns. Accessing via Serial will require a special cable and adapter; make sure to test this method on an existing reader prior to going onsite.
Accessing RShell via SSH
Confirm that you have the latest version of Putty, a free SSH and serial client. You can download Putty here: https://www.putty.org/.
In the Hostname text field, enter the IP address or hostname of the ImpinJ reader. In the port field, make sure this is set to 22. Under connection type, make sure “SSH” is selected as shown below:
Click on “Open”, then if there’s an additional dialogue, click on “Accept”. You should then see a prompt asking you to “Login As:” where you will enter the following credentials (assuming defaults haven’t been changed):
Login as: root
password: impinj
Once you have successfully logged in, you should see an arrow “>” prompting you to enter commands as needed as shown below:
Once you have successfully logged in, please view the referenced commands below in the Commands section.
Accessing RShell via Serial
Confirm that you have the latest version of Putty, a free SSH and serial client. You can download Putty here: https://www.putty.org/.
Use a Cisco style Console cable RJ-45 to DB9, Impinj part number IPJA4000000, to connect your PC’s valid/active COM port to the serial port on the reader. You also may need a Serial to USB adapter in order to connect the cable to an available USB port on a laptop if no serial port is available. You may purchase these components on online retailers like Amazon. Example links to products: Cable and USB Adapter. Make sure to test these components on an existing reader prior to going onsite.
On the PC, run the Putty application and adjust the session options to use the Serial connection type, and set the Serial line to COM1. Note: If you are using a serial to USB adapter, this field can be set to a different COM port.
Set Speed to 115200.
In the left-hand Category panel of the Putty application, click on the Serial category. The right-hand panel will display the options for controlling local serial lines. The general session settings will populate the appropriate fields.
Set Flow control to None, and then click Open.
Once you have clicked Open, you will login using the ImpinJ root credentials as detailed in the above SSH section to get to the command prompt.
Command Reference
Once you have successfully reached the command prompt, you now can run the appropriate commands to configure system services on the reader.
Note: disabling these services will interfere with certain functionality of the device. In case of issue, the service(s) will need to be enabled by pasting in the command with “enable” instead of “disable“. Take extra care with disabling the SSH service unless you have a method to access the device via a Serial connection.
HTTP
These two commands will disable the web server running on ports 80/443 respectively.
Note: after running these commands you will no longer have access to the web interface for upgrading firmware. If firmware needs to be upgraded, you will need to login to the RShell interface and re-enable the HTTP(S) services as needed. (If preferred, there should be a method to upgrade the reader firmware via the RShell interface directly, please view the reference manual provided by ImpinJ for steps on how to do this)
Show status:
show network http
show network https
Disable:
config network http disable
config network https disable
Enable:
config network http enable
config network https enable
FTP
This command will disable the FTP service running on port 21.
Show status:
show network ftp
Disable:
config network ftp disable
Enable:
config network ftp enable
SNMP
This command will disable the SNMP service running on port 161.
Show status:
show snmp summary
(In the summary output, look for SnmpService=’Enabled’/’Disabled’ and TrapService=’Enabled’/’Disabled’)
Disable:
config snmp service disable
config snmp trapservice disable
Enable:
config snmp service enable
config snmp trapservice enable
SSH
This command will disable the SSH/SFTP service running on port 22.
Note: Take caution when disabling the service. For convenience only disable the service if absolutely necessary if this service has been noted with vulnerabilities after scanning the device with the latest firmware. If this service has been disabled, you will no longer be able to remotely connect to the reader’s command line interface and will need to connect to the reader via a serial connection over the console port or perform a factory reset. If you plan on disabling this service, make sure to test disabling the service and connecting via serial prior to going onsite in case of issue.
Show status:
show network ssh
Disable:
config network ssh disable
Enable:
config network ssh enable
Related Resources
Visit the following support page to download the underlying reference material for the ImpinJ reader. Particularly the operation guide and the RShell reference guide:
https://support.impinj.com/hc/en-us/articles/202755358-Speedway-Revolution-Installation-Operations-Guide
Different manuals correspond to different hardware revisions. Most likely you will be using the 7.6.0 guides corresponding with the newer hardware revisions/firmware. If you are unsure, check the hardware revision number listed in the web interface.