Skip to main content

Device Access

SSH into the device

SSH is exposed only on the Developer Edition (black case) — the yellow OpenClaw and blue Hermes consumer units keep sshd disabled and cannot be reached this way. On the Developer Edition, the SD-card image creates a single Linux user with sudo:

Value
SSH userorangepi
SSH passwordorangepi
Sudo passwordorangepi (same as SSH)

Your device IP is assigned by your router's DHCP. Find it in the router admin page or on the web dashboard.

ssh orangepi@<device-ip>
# or
sshpass -p 'orangepi' ssh orangepi@<device-ip>

To become root:

sudo -i
# password: orangepi

On-device filesystem layout

PathWhat lives there
/usr/local/bin/os-serverGo binary — main HTTP API server (Gin, :5000)
/usr/local/bin/bootstrapGo binary — OTA worker
/opt/hal/Python HAL (FastAPI, :5001) — full source lives here
/opt/hal/.envHAL environment variables (audio devices, VAD, model URLs, …)
/root/config/config.jsonOS Server config — LLM base URL, API key, channel tokens, Wi-Fi, admin hash
/root/config/bootstrap.jsonBootstrap OTA metadata URL
/root/.openclaw/OpenClaw runtime state — openclaw.json, skills, workspace
/etc/systemd/system/os-server.serviceService unit for os-server
/etc/systemd/system/hal.serviceService unit for HAL
/etc/systemd/system/bootstrap.serviceService unit for OTA worker
/etc/nginx/sites-enabled/defaultNginx — proxies /api/* to os-server, /api/hardware/* to HAL, serves setup Web UI

Web (nginx) sits in front on port 80. The /api/* prefix is os-server, the /api/hardware/* prefix is HAL.

Web CLI — browser terminal from the Admin panel

If SSH is inconvenient (locked-down laptop, guest network, no ssh client), the Admin Web UI ships an interactive terminal at:

http://<device-ip>/monitor#cli

Admin password (how to sign in). The Admin panel is gated by the device admin password — different from the SSH orangepi password above. On a factory-fresh unit the default is the 4-character suffix printed on the sticker on the underside of the device: the sticker reads Intern-XXXX, and XXXX (case-sensitive) is your default admin password. Enter it on the Admin login page at http://<device-ip>/login.

To rotate the password, sign in and go to Settings → General (http://<device-ip>/setting#general); the new value is written to /root/config/config.json and used from the next login. If you forget the password later, either read it back from /root/config/config.json over SSH or do a soft-reset from the Admin panel to fall back to the Intern-XXXX default.

Once you're signed in, click Device → CLI in the sidebar. Each tab opens a fresh interactive bash -il running as root on the device, exactly like SSH — history, aliases, $PATH, colours, everything. Up to 6 tabs can be open at once and backgrounded tabs keep their shell alive, so a build in tab 1 keeps running while you tail a log in tab 2.

  • Transport: WebSocket at /api/system/shell, admin-auth gated.
  • The Web CLI also pre-injects the active agent runtime's env file (e.g. /root/.claudecode/.env for the Claude Code runtime), so claude, codex, opencode etc. inherit the campaign API key and don't prompt for login the way a raw SSH shell would.

Use SSH for scripted / long-running work (rsync, tmux sessions that must survive a browser close). Use the Web CLI for quick "poke at the device" sessions or when you're on a machine without a proper terminal.