Device Access
SSH into the device
SSH is exposed only on the Developer Edition (black case) — the yellow
OpenClaw and blue Hermes consumer units keep sshd disabled and cannot be
reached this way. On the Developer Edition, the SD-card image creates a
single Linux user with sudo:
| Value | |
|---|---|
| SSH user | orangepi |
| SSH password | orangepi |
| Sudo password | orangepi (same as SSH) |
Your device IP is assigned by your router's DHCP. Find it in the router admin page or on the web dashboard.
ssh orangepi@<device-ip>
# or
sshpass -p 'orangepi' ssh orangepi@<device-ip>
To become root:
sudo -i
# password: orangepi
On-device filesystem layout
| Path | What lives there |
|---|---|
/usr/local/bin/os-server | Go binary — main HTTP API server (Gin, :5000) |
/usr/local/bin/bootstrap | Go binary — OTA worker |
/opt/hal/ | Python HAL (FastAPI, :5001) — full source lives here |
/opt/hal/.env | HAL environment variables (audio devices, VAD, model URLs, …) |
/root/config/config.json | OS Server config — LLM base URL, API key, channel tokens, Wi-Fi, admin hash |
/root/config/bootstrap.json | Bootstrap OTA metadata URL |
/root/.openclaw/ | OpenClaw runtime state — openclaw.json, skills, workspace |
/etc/systemd/system/os-server.service | Service unit for os-server |
/etc/systemd/system/hal.service | Service unit for HAL |
/etc/systemd/system/bootstrap.service | Service unit for OTA worker |
/etc/nginx/sites-enabled/default | Nginx — proxies /api/* to os-server, /api/hardware/* to HAL, serves setup Web UI |
Web (nginx) sits in front on port 80. The /api/* prefix is os-server, the
/api/hardware/* prefix is HAL.
Web CLI — browser terminal from the Admin panel
If SSH is inconvenient (locked-down laptop, guest network, no ssh client),
the Admin Web UI ships an interactive terminal at:
http://<device-ip>/monitor#cli
Admin password (how to sign in). The Admin panel is gated by the device
admin password — different from the SSH orangepi password above. On a
factory-fresh unit the default is the 4-character suffix printed on the
sticker on the underside of the device: the sticker reads Intern-XXXX,
and XXXX (case-sensitive) is your default admin password. Enter it on the
Admin login page at http://<device-ip>/login.
To rotate the password, sign in and go to Settings → General
(http://<device-ip>/setting#general); the new value is written to
/root/config/config.json and used from the next login. If you forget the
password later, either read it back from /root/config/config.json over SSH
or do a soft-reset from the Admin panel to fall back to the Intern-XXXX
default.
Once you're signed in, click Device → CLI in the sidebar. Each tab opens
a fresh interactive bash -il running as root on the device, exactly
like SSH — history, aliases, $PATH, colours, everything. Up to 6 tabs can
be open at once and backgrounded tabs keep their shell alive, so a build in
tab 1 keeps running while you tail a log in tab 2.
- Transport: WebSocket at
/api/system/shell, admin-auth gated. - The Web CLI also pre-injects the active agent runtime's env file (e.g.
/root/.claudecode/.envfor the Claude Code runtime), soclaude,codex,opencodeetc. inherit the campaign API key and don't prompt for login the way a raw SSH shell would.
Use SSH for scripted / long-running work (rsync, tmux sessions that must survive a browser close). Use the Web CLI for quick "poke at the device" sessions or when you're on a machine without a proper terminal.